How to Disable PHP Execution to Secure Your WordPress Web Server
To disable PHP execution, you add 4 lines of code to the .htaccess file on your web server. Those lines look like this:
<Files *.php> Order allow,deny Deny from all </Files>
By default, you have an .htaccess file in the WordPress directory on your web server. But you can also create an .htaccess file in other folders — particularly the folders in which you would like to disable PHP execution.
To disable PHP execution for maximum security, create an .htaccess file with those four lines of code in the following folders in your WordPress installation:
This WordPress installation directory is important because it is the only directory that has to be writeable for WordPress to work. This means if an image is uploaded with a modified header, or if a PHP file is uploaded and PHP execution is allowed, an attacker would be able exploit this weakness to create havoc in your environment. With PHP execution disabled, the attacker is unable to create any havoc.