Skip to content
How to Disable PHP Execution in the Uploads Folder in WordPress

How to Disable PHP Execution in the Uploads Folder in WordPress

Protecting the beloved website from evil hackers is always a matter that every website owner concerns about. Today, GretaThemes will introduce you to an effective way to protect your WordPress website from hacker attacks. It’s disabling PHP execution in the uploads folder in WordPress.

Sounds a bit technical, doesn’t it? However, it’s actually very easy, and anyone can do it within 5 minutes. But first, let me explain why we need to disable PHP execution in the uploads folder in WordPress!

Why We Need to Disable PHP Execution in the uploads Folder

Normally, admin and authorized users can upload files to the uploads folder. Hackers can take advantage of this to upload malicious files to the WordPress website if you don’t manage user roles properly.

Especially, if your website has forms like contact form or post submission form, hackers can take advantage of these forms to upload malicious files (such as PHP files or images containing PHP code). By default, WordPress saves these files in the uploads folder. If you don’t disable PHP execution in this folder, hackers can run malicious code to hack your WordPress website. Therefore, when you prevent all users (except admin) from executing PHP in the uploads folder, the uploaded files that contain malicious code won’t be able to run.

There are many ways to disable PHP execution in the uploads folder, and the easiest way is inserting code into the .htaccess file.

Below is what we need to do:

How to Disable PHP Execution in the Uploads Folder

First of all, log in to the cPanel and choose File Manager.

Log into cPanel to disable PHP execution in the uploads folder

Afterward, look for the uploads folder:

Find the uploads folder

Normally, every folder in WordPress has a .htaccess file. To disable PHP execution in the uploads folder, add the following code to the .htaccess file in this folder:

<Files *.php>
deny from all
</Files>

In case the uploads folder doesn’t have the .htaccess file, create a new one as follows:

On the toolbar, choose File > Create New File and set the name of the new file as .htaccess:

Create a new .htaccess file to disable PHP execution

Next, right-click the .htaccess file and click Edit:

Edit the .htaccess file

After that, add the above code to the .htaccess file and click Save changes:

Add code to the .htaccess file to disable PHP execution in the uploads folder in WordPress

Okey-dokey! We’ve finished disabling PHP execution in the uploads folder in WordPress.

Last Words

Disabling PHP execution in the uploads folder in WordPress is extremely fast and simple. You just need to create the file, add only three lines of code and then save it. It takes less than 2 minutes. However, this simple task can help you avoid a lot of troubles, so don’t hesitate to do it right away!

In addition to disabling PHP execution in the uploads folder, you should also use security plugins to protect your WordPress website better. And through time, hackers will come up with more new sophisticated tricks to hack websites. Thus, don't forget to keep up to date with the latest news on WordPress website security at GretaThemes!

Leave a Comment






Scroll To Top