How Do You Disable PHP Execution in WordPress Directories
If you want to learn how to disable PHP execution in WordPress directories this post is for you. By default WordPress makes some directories writeable so that you and authorized users can upload plugins, themes, videos and images. It is easy for this capability to be abused and hackers can use it as a backdoor access to your website. The malicious files uploaded by hackers can be disguised as core WordPress files. They are written in PHP and can run in the background while gaining complete access to your website. This sounds scary but the good news is that it is possible to get rid of this vulnerability. This article looks at the steps you need to take to disable PHP execution using .htacess file.
Disabling PHP execution in certain directories using .htaccess File
On most websites you will locate the .htaccess file in the root folder. This is a very powerful configuration file that protects the admin area with a password. It also disables directory browsing, generates SEO friendly URL structure and does other fundamental things. To disable PHP execution in WordPress you will need to locate this file. If it is missing, you can create it inside your WordPress directories.
In order for you to protect your site from backdoor access files, you have to create the .htaccess file and upload it to your website’s /wp-includes/ and /wp-content/uploads/ directories. To do this you need to create a blank file on the computer using Notepad (TextEdit on Mac). Save this file as .htaccess and then past the below code in it:
<Files *.php>
deny from all
</Files>
Save the file then upload it to your website’s /wp-includes/ and /wp-content/uploads/ folders on the WordPress hosting server. You can upload the file using the FTP client or through the File Manager app in the hosting account’s cPanel dashboard.
Uploading this file will stop any PHP file from running in the directories. This is a simple trick that will surely improve the security of your WordPress website. All in all, it is good to remember that this is not a fix for a website that has already being hacked. Backdoors are normally disguised cleverly and can even be hidden in plain sight. To check for any backdoor on your site, you have to install and activate Sucuri on your WordPress website.
You need to disable PHP execution in WordPress directories as soon as your website is setup. Waiting too long to do this may lead to vulnerabilities that may cause you to start over or even lose your reputation.