Disable PHP Execution: Why & How?
Certain WordPress folders such as Uploads or Themes or Plugins are writable by default and so every time we install a plugin or a theme, the respective files are stored in their corresponding folders. This wouldn’t be possible if the Theme and Plugins folders have not got writable permission.
As a disadvantage, this type of permission also opens up chances of a hack attack, and they can take advantage of and upload a malicious script that can be executed remotely. This will help them gain full access to your WordPress site.
It’s not advisable to remove writing permission for such folders as you can’t upload images, or install plugins and themes to your site. But what we can do is to reduce the potential of any such backdoor attack by disabling PHP execution. It’ll remove the permission of the hackers to execute in specific folders.
After learning how to clean hacked WordPress websites backdoor, as discussed in previous posts, most of the backdoor files are disguised in / wp-includes / and / wp-content / uploads /. Generally, they are php files whose names look like WordPress core files, but they are not. One way to improve WordPress security is to disable PHP execution in certain WordPress websites directories. A simple way of disabling PHP execution is to place a special code in the .htacess file of that specific folder we need to disable PHP execution. This article will show how to restrict PHP execution of a directory via .htaccess.
How to disable PHP execution
Create a new blank file with a text editor and name it .htaccess, then copy the following code into it:
<FilesMatch “\.(php|php\.)$”>
Order Allow,Deny
Deny from all
</FilesMatch>Upload this file to the / wp-content / uploads / and / wp-includes / folders.
In the image below, we kept the code in our .htaccess file
Code explanation: This code will check all the PHP files in the directory and disable the permission to execute PHP files.
