How to Disable PHP Execution in Some WordPress Directories?

Disable PHP Execution in WordPress Directories

One of the best ways to improve the security of a WordPress site is to simply disable PHP execution in WordPress directories.

WordPress needs a PHP server; where PHP is a programming language, MySQL as a database, a web server ( Apache or Nginx), and an operating system.

WordPress has numerous directories each one doing its function. Now, various directories are writable so users can interact with the sites.

However, not every directory needs to run the PHP code. You need to ensure that the PHP code doesn’t run in those directories

Now, let’s see why to disable PHP execution in WordPress directories.

Reasons to disable PHP execution in WordPress directories

At least a few of the directories should be set as customizable, so the authorized users can do the changes to the site.

For instance: updating the plugins and themes, doing alterations in content, customizing the site look, etc.

However, if the hackers obtain access to it, they can exploit it write the malicious files into WordPress directories. Then the malicious files can be run and trigger the action to steal the ownership of the site.

These files are likewise written in PHP and resemble core files.

Recently, the popular elementor plugin got hacked, and the hackers successfully injected malicious code via the backdoor, thereby hurting thousands of sites.

You can easily fix this quickly by disabling the PHP execution in WordPress directories.

In such a case, any PHP file present in the WordPress directory will not be executed. Hence, the code will not run, and that folder and directory will be secure from any fraudulent activity.

Suggested for further reading:

Precautions with PHP

If you are completely new to PHP and WordPress, please don’t proceed further. But, instead, you can ask experts to do it for you.

WordPress has several directories that require execution of PHP code within them to make the site operative. If we deactivate the PHP execution, the WordPress will crash as the backend end code will stop running.

Hence, you need to just choose the directories that don’t need any PHP code to execute.

We suggest starting the URLs with /wp-includes/ and /wp-content-uploads/.

Moving ahead let’s see how to disable PHP execution in WordPress directories.

How to disable PHP execution in WordPress directories?

By default, the .htacess file can be found in the WordPress root directory. That .htaccess file manages and controls the higher-level WordPress directories.

.htaccess is short for hypertext access files. It is a server configuration file that just configures the server of the directory it’s in.

You need to make a .htaccess file and upload it to your website’s /wp-includes/ and /wp-content/uploads/ directories.

Follow the below steps to disable PHP execution in WordPress directories:

Step 1: Create a Txt file with this code

<Files *.php>
deny from all

Save the file as .htaccess ( not as .htaccess.txt)

Step 2: Log in to cPanel and open the File Manager

Step 3: Look for the /uploads directory

There, you will see a list of all the directories in the file manager.

Step 4: Upload the .htaccess file that we created in Step 1.

If the .htacess file is already present in the directory, you can add the code in that htaccess file. Just save it.

There won’t be any PHP execution in that directory.

Note: Our trick is not a cure but a precaution from website hacking.

Additionally, you can read this article on “How to Find Malware In Your Website?

At 10GB Hosting, we offer managed WordPress hosting. Our security experts will ensure that your site is protected against various security threats and malicious attacks.


This small effort to improve your WordPress site’s security can save you from a lot of trouble.

We hope this quick tutorial post helped you understand how to disable PHP execution in WordPress directories.

Additionally, you can check out our Managed VPS UK plan that focuses on auto-scaling, performance, and security of your website.