WordPress is always uploading something on your server either its WordPress core update which re upload entire WordPress. Or its update or installation of a plugin or theme which uploads and executes the code on your server. There are more like wp-content/uploads/ where you or your users can upload images, pdf’s, videos and other allowed files.
While your website is not under your control completely because you are using plugins and themes from various other sources as well. Not sure which plugin allows a backdoor to wrong hands who can do something wrong with your website. And easily upload a malware into your WordPress website to bring you into problems.
As your server runs PHP language and all PHP files would be executed. PHP is powerful to read, write new files so any malicious code either can destroy your database or even can redirect your traffic to scam sites. Similarly hackers easily can steal your users information as well.
Yeah its very bad situation when you do not have control over everything.
As you know WordPress runs itself on PHP and there are various directories which you cannot disable PHP execution for otherwise WordPress would not work at all.
For example to run WordPress properly its required to execute PHP for certain directories without any problem. So you cannot disable PHP for following directories at all otherwise your website wouldn’t work.
- public_html
- wp-includes
- wp-admin
- wp-content
- wp-content/themes/
- wp-content/plugins/
So you can disable the PHP access to directories which you are sure doesn’t have to do anything for PHP execution for example wp-content/uploads/
In this article, we will show you how to disable PHP execution in WordPress wp-content/uploads directory using the .htaccess file.
Disabling PHP Execution in Certain WordPress Directories Using .htaccess File
Just like you use web.config in IIS server on linux servers we use .htaccess to give commands to server how to handle something. So most of WordPress installations are on Apache linux servers and .htaccess file gives instruction to servers how to handle SEO friendly url’s or permalinks. Set a password for admin area as well.
So you need similar .htaccess file to disable access or execution of PHP . Now what you can do?
- Open any IDE which you use or Notepad
- Enter the code given below
- Save file as .htaccess and in file type select All
<Files *.php>
deny from all
</Files>
Now you should have a .htaccess file with above code which you can upload into your wp-content/uploads directory. And this will disable the PHP execution for your wp-content/uploads directory.
Please note this way you can disable the PHP execution for any directory as well.
Here is the video to watch for Disable PHP execution via .htaccess file.