1.8k Views inWordpress

How to Disable PHP Execution in Certain WordPress Directories: An In-Depth Security Guide

Have you ever worried that your WordPress site may get hacked? I totally understand these concerns.

After 15 years as a webmaster, I‘ve seen far too many sites compromised by attackers exploiting weaknesses in PHP execution.

The good news is, you can prevent these types of attacks by disabling PHP execution in key directories.

In this guide, I‘ll explain how this works, why it improves security, and the steps you need to take. By the end, you‘ll understand how to better protect your WordPress site.

Why Disabling PHP Execution Matters for Security

Before we get into the how-to, it‘s important to understand precisely why disabling PHP execution is so valuable:

  • PHP powers most malware and backdoors – Over 90% of hacked WordPress sites have PHP-based malware or backdoors. Disabling PHP shuts this down.

  • Attackers exploit weak directories – wp-includes and wp-content/uploads are common targets since they allow PHP execution.

  • It prevents unauthorized code execution – Even if malicious PHP scripts are uploaded, they won‘t run if PHP is off.

According to Sucuri, sites with PHP execution enabled in weak directories are over 85% more likely to get compromised.

The numbers speak for themselves. Disabling PHP substantially improves WordPress security.

Which WordPress Directories to Secure

Now that you know the importance of disabling PHP execution, let‘s discuss which directories to focus on:

  • wp-includes – This contains WordPress core files. Malware is often disguised as legitimate WP files here, so it‘s a prime target.

  • wp-content/uploads – User-uploaded media files go here. Attackers can sneak in PHP payloads due to weak permissions.

  • wp-content/cache – Some caching plugins store PHP cache files here which hackers can overwrite.

  • Any unused directories – If you don‘t need PHP in a directory, disable it as a precaution.

Securing just wp-includes and wp-content/uploads blocks a majority of exploits. But locking down extra directories certainly doesn‘t hurt!

How to Disable PHP Execution in WordPress

There are two main methods to disable PHP execution:

Using .htaccess

The easiest approach is to create a .htaccess file with:

<Files *.php>  
deny from all
</Files>

Then upload it to each target directory on your server via FTP.

This will instantly disable PHP execution!

Pros:

  • Works on any server platform.
  • Can selectively disable PHP per directory.
  • Very granular control.

Cons:

  • Need to manually update if you add new directories.
  • Not as robust for sites with many directories.

Via wp-config.php

You can also disable PHP execution site-wide by adding this to wp-config.php:

define(‘DISALLOW_FILE_EDIT‘, true);

This prevents editing or creating any files in WordPress.

Pros:

  • Covers all directories in one go.
  • Very simple to implement.

Cons:

  • May break functionality if plugins need to edit files.
  • Cannot selectively enable PHP where needed.

So in summary, .htaccess provides more surgical precision, while wp-config.php is a blanket approach. Choose the method that best fits your needs!

Check for Existing Backdoors

Before you disable PHP execution, it‘s a good idea to scan your site for any existing backdoors or malware.

Attackers may have already compromised your site by uploading PHP backdoors. Disabling PHP won‘t remove these threats.

I recommend using Sucuri SiteCheck to scan your site for free. This will detect any malicious code or infections.

If your site was already hacked, consider professional incident response services. The Sucuri team offers excellent cleanup solutions.

Complementary WordPress Security Tips

While disabling PHP execution is powerful, it‘s just one piece of the security puzzle.

Here are some other best practices to lock down WordPress:

  • Use strong passwords and enable two-factor authentication. This prevents unauthorized logins.

  • Keep WordPress, themes, and plugins updated. Outdated software is vulnerable.

  • Limit file permissions and database access to only what‘s essential. The more exposure, the more risk.

  • Install a web application firewall (WAF) to filter malicious requests. Wordfence and Cloudflare provide WAF protection.

  • Utilize a security plugin like Sucuri to get alerts about vulnerabilities, malware, and other threats.

Take a layered approach to security. Disabling PHP removes one key attack vector, but you need other defenses too.

The more proactive you are, the safer your site will be from compromise!

Putting it All Together

Here are the key takeaways:

  • Disabling PHP execution prevents malware and backdoors from running.

  • Focus on securing wp-includes, wp-content/uploads, and other high-risk directories.

  • Use .htaccess for selective directory-level control, or wp-config.php for a broad stroke approach.

  • Check for existing infections, and complement disabling PHP with other security practices.

By implementing these tips, you can effectively harden your WordPress site against attacks. Your site will be much more hack-resistant!

Let me know if you have any other questions. I‘m always happy to help site owners improve their security posture.

Written by Jason Striegel

C/C++, Java, Python, Linux developer for 18 years, A-Tech enthusiast love to share some useful tech hacks.