WordPress is one of the most popular website builders available. People like it because it takes coding out of the equation to a large extent. Users can create a functional interface without needing to write even a single line of code. This is unarguably a huge convenience and it empowers everyone to easily acquire a website. However, this feature can cause some problems too. In this tutorial, we will discuss the method to disable PHP execution in WordPress directories. The open-source CMS makes some directories writeable by default. This is done to enable you to easily upload themes, plugins or media to your interface. The feature can be manipulated to cause harm to your interface. That is why it is important to deactivate PHP execution in certain directories. Let’s see how it can be done.
Why PHP Execution Must Be Disabled In Some Directories?
By default, some folders like uploads, themes, plugins, etc. are writeable in WordPress. This allows users to easily upload media like images and videos on their interface. The permission also comes in handy when you want to install a new theme or a plugin on your website. When you install a theme or a plugin, the new product’s files are stored in the relevant folder. In case, the folder was not writeable, this would not have been possible. However, this convenient feature also leaves your website open to unauthorized access. Hackers can take advantage of the writeable nature of a folder and upload malicious script to it. They can then remotely execute the harmful code and take over your website. Removing the permission from all directories is not practical. Then you cannot upload an image or a theme to your website. However, disabling the execution of PHP script in specific folders can reduce the chances of an attack.
How To Disable PHP Execution?
In this guide, we will show you how to deactivate PHP execution by using the .htaccess file. New users like those who convert PSD to WordPress theme may be unaware of this file. It is a key configuration file located in the root of most WordPress websites. The open-source CMS uses it to control the manner in which files are served from the Apache server. The most common task for which .htaccess is used is for generating permalinks. It can also be used for cache control, authorization, or to disable directory browsing. Let’s see how it can be used to disable PHP execution in WordPress directories. Remember to take a backup of your website before conducting the process. This will help you in restoring your interface if anything goes wrong during the procedure.
1. Connect To Your Website Through FTP
First, you will need to connect to your website through FTP. You will require FTP username and password which would have been provided by your hosting service. Use an FTP client like FileZilla and enter your account details to connect to your website. This will take you to the core files of your installation. In this guide, we will show how to deactivate the execution of PHP scripts in the Uploads folder. Locate the folder in wp-content under public_html.
2. Create The .htaccess File
Now we will create the .htaccess file. Open a text editor like Notepad on your system and create a blank file. Name it as “.htaccess”. Paste the code shown in the image given below in the file.
3. Upload The File Into The Folder
We will now upload the file to the Uploads folder which we had located in the first step. Go back to your FTP client. You will find two sections namely, Local Site and Remote Site. You would have located the Uploads folder in the wp-content in the Remote Site section which displays all the files and folders of your website. In the Local Site section, you can see the files stored on your system.
4. Edit The .htaccess File
The .htaccess file is now saved in the Uploads folder of your interface. We will need to modify it so that PHP execution is disabled in the directory. Right-click on the file and then choose the Edit option.
Now, you will need to add the following code to the file.
<Files *.php>
deny from all
</Files>
Use the image given below for reference to understand where the code should be placed.
Save the file. The process to disable PHP execution in the Uploads folder is complete.
Conclusion
This process will help you in manually deactivating the execution of PHP scripts in selected directories of your website. However, a single mistake during the process can cause issues on your interface. The best way is to engage custom WordPress theme development experts who will disable the execution in your theme folder or suggest plugins which will harden the security of your website.