Security Tips - Prevent PHP execution in default Writable Folder

  In Wordpress some folders are writable by default (Uploads,Cache etc.. folders). This permission is for uploading images, videos etc on the website. Hackers can exploit these writeable directories by uploading malicious PHP code onto them and executing them remotely on your site.

  Anyway for the proper working of wordpress site, we can't change the permission of the writable folder. what we can do is to reduce the scope of the attacks by removing execute permissions on them. One of the simplest ways to disable PHP execution in certain folders is by adding the following lines to the htaccess file –

Create a blank file in a text editor. Call it .htaccess and paste the following code in there:

<FilesMatch “\.(php|php\.)$”>
Order Allow,Deny
Deny from all
</FilesMatch>

For maximum security, upload the above created file in the following folders in your WordPress installation:

  • /wp-content/uploads/
  • /wp-includes/
  • cache folders within themes and plugins


Even if an attacker gets his PHP code into these directories, he will definitely not be able to execute it.

Note: This is not a FIX for a hack. This is just a security hardening tip.

  • 21 Users Found This Useful
Was this answer helpful?

Related Articles

How to prevent spam emailing? Wordpress security tips

For prevent spam emailing, if any cms is using please update to latest version. After that...

How to hardening WordPress installation?

Primary tasks for hardening WordPress powered website: Make sure you are always updated with...

Powered by WHMCompleteSolution