How to Disable PHP Execution in WordPress Directories?

Disable PHP Execution in WordPress Directories

One of the quick ways to harden the WordPress security is to disable PHP execution in WordPress directories.

WordPress works on a PHP server – PHP as a language, MySQL as a database, a web server (Apache or Nginx), and an operating system.

WordPress has multiple directories — each one performing its function. Now many of these directories are writable so users can interact with the websites.

But not every directory is required to run PHP code. You have to make sure that PHP code does not run in those directories.

Why disable PHP execution in WordPress directories?

Some directories must be customizable, so the authorized user can make changes to the website.

For example: updating the theme and plugins, making changes in content, customizing the website look, etc

But if the hackers get their hand at it, they can use this ability to write malicious files into the WordPress directories. The malicious files can then run and trigger the action to steal the ownership of the website.

These files are also written in PHP and look similar to core files. 

A few days back, the elementor plugin got hacked, and the hackers were successful in injecting malicious code through the backdoor, hurting thousands of websites.

You can fix this quickly by disabling the PHP execution in WordPress directories.

This way, any PHP file present in the WordPress directory will not be executed. Therefore, the code will not run, and that folder and directory will be safe from any malicious activity.

Precautions with PHP

If you are a total stranger to PHP and WordPress, please don’t do this. However, if it is a necessity for your case, please ask an expert.

WordPress has many directories that need to execute PHP code within them to make the website functional. If we disable the PHP execution for them, the WordPress will crash as the backend code ends running.

So you have to pick up the directories that do not require any PHP code to run.

We suggest starting with /wp-includes/ and /wp-content-uploads/.

How to disable PHP execution in WordPress directories?

By default, the .htaccess file is located in the WordPress root directory. That .htaccess file manages and controls the higher-level WordPress directories.

.htaccess is short for hypertext access files. It is a distributed server configuration file and only configures the server of the directory it is in.

You have to create a .htaccess file and upload it to your site’s /wp-includes/ and /wp-content/uploads/ directories.

Follow these steps to do it:

Step 1: Create a Txt file with this code

<Files *.php>
deny from all
htaccess file

Save the file .htaccess. (not .htaccess.txt)

Step 2: Log in to cPanel and open File Manager

File Manager cPanel

Step 3: Find the /uploads directory.

WP Includes

You will find the list of all directories in the file manager. Open the /upload directory.

Step 4: Upload the TXT file we created in step 1.

Disable PHP Execution in WordPress Directories

If there is already an .htaccess file in the directory, you can add code to that .htaccess file.

And save it.

That’s it.

There will be no PHP execution in that directory anymore.

This trick will not help the hacked website. This is not a cure but a precaution. Cleaning a hacked WordPress website takes time, energy, and resources.

At ServerGuy, we provide managed WordPress hosting. A team of security experts keeps your website hack-free and actively defends the website from malicious attacks. Check the price.

Also Read:

Final Words

This 2-minute WordPress security task can save you a lot of trouble. 

Besides that, you can add security questions to the login page, change the login URL, and hide the WordPress version.

All of them help to take WordPress security to the next level.

I hope this quick tutorial helped you to learn how to disable PHP execution in WordPress directories.

Latest WordPress Tips, Guides, & News

Stay updated with new stuff in the WP ecosystem including exclusive deals, how-to articles, new plugins, and more. 100% WordPress Goodness, a promise!

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top

We can help you. Right now.

Fast growing merchants depend ServerGuy for high-performance hosting. Experience counts. Let's get started.

Talk to a sales representative

USA / Worldwide




Core Web Vitals Book COver

Is your website ready for Core Web Vitals?

Take this FREE book with you and optimize your store for speed.

Learn all about new Google new ranking factors and get that top ranking.