Connect with us

WordPress: How to Block PHP Execution by Directory?


WordPress: How to Block PHP Execution by Directory?

We’ve seen numerous WordPress installations that have been hacked where the hackers have uploaded secret files into the wp-content and wp-includes folders that are named similarly to actual WordPress filenames, but are actually shell, malware or even mailer scripts which allow the hackers the use of your hosting account for their own devices.  These PHP scripts can wreak havoc on the server environment, get your IP blacklisted and force server admins to take your site down.  Here’s one tip we recommend to help prevent this from happening.

In order to block hackers from executing PHP scripts in these directories you can create an .htaccess file in these directories which tells the server PHP should NOT be run in them directly.  Here’s the code to place in a blank .htaccess file:

 <Files *.php>
 deny from all


You can then upload that .htaccess file to your wp-content and wp-includes folders.

Please Note: uploading this file to the wp-content folder can cause an issue with some themes and plugins, especially those using timthumb.php directly.  If that’s the case, just delete the file and all will be fixed.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

More in solution

    About Me:

    Szabi Kisded

    Hey there, I'm Szabi. At 30 years old, I quit my IT job and started my own business and became a full time WordPress plugin developer, blogger and stay-at-home dad. Here I'm documenting my journey earning an online (semi)passive income. Read more

    Sign up for my newsletter and get the YouTube Caption Scraper WordPress plugin for free
    (worth 29$)!

    All My Plugins In A Bundle:

    My AutoBlogging Plugins:

    My Online Courses:

    A Theme I Recommend:

    Featured Posts:

    To Top