One of the quick ways to harden the WordPress security is to disable PHP execution in WordPress directories.
WordPress works on a PHP server – PHP as a language, MySQL as a database, a web server (Apache or Nginx), and an operating system.
WordPress has multiple directories — each one performing its function. Now many of these directories are writable so users can interact with the websites.
But not every directory is required to run PHP code. You have to make sure that PHP code does not run in those directories.
Why disable PHP execution in WordPress directories?
Some directories must be customizable, so the authorized user can make changes to the website.
For example: updating the theme and plugins, making changes in content, customizing the website look, etc
But if the hackers get their hand at it, they can use this ability to write malicious files into the WordPress directories. The malicious files can then run and trigger the action to steal the ownership of the website.
These files are also written in PHP and look similar to core files.
A few days back, the elementor plugin got hacked, and the hackers were successful in injecting malicious code through the backdoor, hurting thousands of websites.
You can fix this quickly by disabling the PHP execution in WordPress directories.
This way, any PHP file present in the WordPress directory will not be executed. Therefore, the code will not run, and that folder and directory will be safe from any malicious activity.
Precautions with PHP
If you are a total stranger to PHP and WordPress, please don’t do this. However, if it is a necessity for your case, please ask an expert.
WordPress has many directories that need to execute PHP code within them to make the website functional. If we disable the PHP execution for them, the WordPress will crash as the backend code ends running.
So you have to pick up the directories that do not require any PHP code to run.
We suggest starting with /wp-includes/ and /wp-content-uploads/.
How to disable PHP execution in WordPress directories?
By default, the .htaccess file is located in the WordPress root directory. That .htaccess file manages and controls the higher-level WordPress directories.
.htaccess is short for hypertext access files. It is a distributed server configuration file and only configures the server of the directory it is in.
You have to create a .htaccess file and upload it to your site’s /wp-includes/ and /wp-content/uploads/ directories.
Follow these steps to do it:
Step 1: Create a Txt file with this code
<Files *.php>
deny from all
</Files>
Save the file .htaccess. (not .htaccess.txt)
Step 2: Log in to cPanel and open File Manager
Step 3: Find the /uploads directory.
You will find the list of all directories in the file manager. Open the /upload directory.
Step 4: Upload the TXT file we created in step 1.
If there is already an .htaccess file in the directory, you can add code to that .htaccess file.
And save it.
That’s it.
There will be no PHP execution in that directory anymore.
This trick will not help the hacked website. This is not a cure but a precaution. Cleaning a hacked WordPress website takes time, energy, and resources.
At ServerGuy, we provide managed WordPress hosting. A team of security experts keeps your website hack-free and actively defends the website from malicious attacks. Check the price.
Also Read:
- Best PHP Editors and PHP IDE for the Development
- Automatically Log out Idle Users in WordPress
- How to Reduce HTTP Requests in WordPress?
Final Words
This 2-minute WordPress security task can save you a lot of trouble.
Besides that, you can add security questions to the login page, change the login URL, and hide the WordPress version.
All of them help to take WordPress security to the next level.
I hope this quick tutorial helped you to learn how to disable PHP execution in WordPress directories.