How to Disable PHP Execution to Secure Your WordPress Web Server - dummies

How to Disable PHP Execution to Secure Your WordPress Web Server

By Lisa Sabin-Wilson

For most backdoor intrusion attempts to function, a PHP file has to be executed. The term backdoor describes ways of obtaining access to your WordPress web server through means that bypass regular authentication methods, such as file injections through programming languages such as PHP or JavaScript. Disabling PHP execution prevents an attack or compromise from taking place because PHP cannot be executed at all.

To disable PHP execution, you add 4 lines of code to the .htaccess file on your web server. Those lines look like this:

<Files *.php>
Order allow,deny
Deny from all

By default, you have an .htaccess file in the WordPress directory on your web server. But you can also create an .htaccess file in other folders — particularly the folders in which you would like to disable PHP execution.

To disable PHP execution for maximum security, create an .htaccess file with those four lines of code in the following folders in your WordPress installation:

  • /wp-includes

  • /wp-content/uploads

  • /wp-content

This WordPress installation directory is important because it is the only directory that has to be writeable for WordPress to work. This means if an image is uploaded with a modified header, or if a PHP file is uploaded and PHP execution is allowed, an attacker would be able exploit this weakness to create havoc in your environment. With PHP execution disabled, the attacker is unable to create any havoc.