Hey there, WordPress site owner. Let me guess – you‘re here because you want to make your site as secure as possible.
You‘ve probably already taken basic precautions like using strong passwords and keeping your WordPress install updated (if not, start there!). But if you really want to harden your site‘s security, there‘s one key step you can‘t overlook:
Disabling PHP execution in directories where WordPress doesn‘t need it to run.
I know, it sounds technical. But don‘t worry – I‘m going to walk you through exactly how to do it step-by-step. By the end of this guide, you‘ll have locked down your wp-includes, uploads, and other directories that hackers love to target with a simple .htaccess trick.
But first, let‘s talk about why this matters so much.
Why Disabling PHP in WordPress Directories Is Crucial
Let‘s say a hacker manages to exploit a vulnerability and upload a malicious PHP script to your server. If PHP is enabled across your entire WordPress installation, that script can execute and infect your site with malware, create a backdoor for the hacker to maintain access, and potentially compromise sensitive data.
This isn‘t just a hypothetical scenario – it happens all the time. In fact, according to a 2020 study by Sucuri, PHP is the most commonly targeted programming language for website malware. The study found that out of over 56,000 infected websites, a whopping 68% had a PHP-based CMS like WordPress.
And within WordPress, certain directories are especially attractive targets for hackers looking to upload PHP backdoors and other malicious scripts:
/wp-content/uploads/– By default, any logged-in user can upload files here, making it a prime spot for hackers to hide scripts among legitimate media uploads./wp-includes/– This directory is home to crucial WordPress core files. If a hacker can modify them with malware, they could gain complete control of your site./wp-content/– Plugins and themes in this directory run on PHP. A compromised plugin or theme could infect your whole site.
Thankfully, with a few tweaks to your .htaccess file, you can prevent PHP scripts from executing in these sensitive directories altogether. Here‘s how.
How to Disable PHP Execution in WordPress Using .htaccess
Ready to lock down those vulnerable directories? I‘ll walk you through it:
- Access your WordPress site‘s files via FTP, SFTP, SSH, or your host‘s file manager.
- Navigate to your WordPress root directory (usually public_html or your site‘s name).
- Look for the .htaccess file. It might be hidden, so make sure your FTP client or file manager is set to show hidden files.
- Download a copy of the .htaccess file as a backup. Always back up before making changes!
- Open the .htaccess file in your preferred text editor.
- Scroll to the bottom of the file and paste in the following code:
<FilesMatch "\.php$">
Deny from all
</FilesMatch>This snippet tells your server to deny access to any .php files in the directory where the .htaccess file is located.
Save your changes and re-upload the .htaccess file to your server, overwriting the original.
Next, navigate to the /wp-includes/ directory.
Create a new file and name it .htaccess (note the leading dot).
Open the new file and paste in the same code snippet from step 6.
Save and upload this .htaccess file to the /wp-includes/ directory.
Repeat steps 8-11 for the /wp-content/uploads/ directory.
And that‘s it! PHP execution should now be disabled in your wp-includes and uploads directories. To verify it‘s working, you can try uploading a .php file to your uploads directory and accessing it in a browser – you should get a 403 Forbidden error.
Now, there are a couple things to keep in mind:
Disabling PHP in /wp-content/ will break your plugins and themes. That‘s why we‘re only disabling it in specific subdirectories like /uploads/.
Some plugins may need to execute PHP in your uploads directory to function properly (I‘m looking at you, backup plugins). If that‘s the case, you can either make an exception in your .htaccess file or store those files in a different directory.
So while disabling PHP execution in key WordPress directories is a powerful security layer, it‘s not infallible. Let‘s talk about some other ways you can harden your site.
More Tips to Boost Your WordPress Security
Disabling PHP is just one piece of the WordPress security puzzle. Here are some other best practices I recommend to keep your site safe:
Keep everything updated – WordPress core, themes, plugins, everything. Hackers exploit known vulnerabilities, so running the latest patched version is crucial.
Delete unused themes & plugins – The more plugins you have, the larger your attack surface. Audit your plugins and delete any you‘re not actively using.
Enable SSL/HTTPS – An SSL certificate encrypts traffic between a user‘s browser and your server. Many hosts offer free SSL through Let‘s Encrypt.
Enforce strong passwords – You‘d be shocked how many people still use "password123". Use a password manager to generate and store long, random passwords.
Enable two-factor authentication – 2FA adds an extra login step, like entering a code from an authenticator app. It‘s a must-have to prevent unauthorized access.
Limit login attempts – Brute force attacks rely on repeated login attempts to guess passwords. Limit attempts to thwart them (many security plugins can do this).
Speaking of security plugins, let‘s take a look at some of the most popular options.
Top WordPress Security Plugins Compared
While not a substitute for a comprehensive security strategy, WordPress security plugins can handle a lot of the heavy lifting when it comes to protecting your site. Here‘s how some of the top contenders stack up:
| Plugin | Price | Malware Scan | Firewall | Login Security | Support |
|---|---|---|---|---|---|
| Sucuri | $199/yr | Yes | Yes | Yes | Email, chat, phone |
| Wordfence | Free / $99/yr | Yes | Yes | Yes | Email, premium phone/chat |
| iThemes Security | $80/yr | No | Yes | Yes | |
| Jetpack | $10/mo | Yes | No | Requires paid addon | Email, live chat |
| All In One WP Security | Free | No | Yes | Yes | None |
I personally use and recommend Sucuri because of their proactive monitoring, malware removal guarantee, and helpful support. But Wordfence is a solid free/budget-friendly alternative, and iThemes Security and Jetpack have their place as well, especially if you‘re already using their other products.
Wrapping Up
I know we‘ve covered a lot of ground here, so let‘s recap the key points:
- Disabling PHP execution in key WordPress directories (wp-includes, uploads, etc.) is crucial for preventing hackers from running malicious scripts on your server.
- You can disable PHP in specific directories by creating .htaccess files with the proper code snippets.
- Disabling PHP is just one layer of security – always keep your site updated, use strong passwords and 2FA, limit login attempts, and consider a security plugin for extra protection.
Remember, your WordPress site‘s security is ultimately in your hands. But by following the steps and best practices outlined here, you‘ll be well on your way to fortifying your site against attacks.
If you have any questions or want to share your own tips for disabling PHP in WordPress, drop a comment below. Stay safe out there!
