Disable PHP Execution & Directory Browsing for Better WordPress Security

WordPress files and directories play a vital role in keeping your site secure. Setting them properly should be one of your biggest priority after installing WordPress. Setting proper permission of who can see which files and what actions a user can take improves your site security posture significantly. In this post, we’ll discuss how disabling both PHP execution and directory browsing can improve your site’s security.

Disable PHP Execution: Why & How?

Certain WordPress folders such as Uploads or Themes or Plugins are writable by default. This type of permission allows users to upload images and videos on the site. Or install themes and plugins on a site. Every time we install a plugin or a theme, new files are stored in their respective folders. This wouldn’t be possible if the Theme and Plugins folders were not writable.

One of the reasons why many people prefer using WordPress to build their sites is the ability to easily customize a site with the help of themes and plugins. Anyone can install any theme or plugin on their website which is possible because Themes and Plugin folders are writable by default. But unfortunately, this type of permission also opens up chances of a hack attack like phishing attacks, SEO spams, brute force attacks, etc. Hackers can take advantage and upload a malicious script which can be executed remotely. This will help them gain full access to your site or even destroy your website.

One can recall the Mailpoet Hack allowed hackers to upload a malicious PHP code to the Upload folder which they executed to gain control over the site.

It’s not convenient to remove writing permission because then, you can’t upload images, or even install plugins and themes to your site. But what you can do is reduce the scope of a successful attack by disabling PHP execution. It’ll remove permission to execute in specific folders.

A simple way of disabling PHP execution is to place a special code in the .htacess file of that specific folder where you want to disable PHP execution.

Note: Take backups of your site before modifying the files. A single mistake in the step we are going to follow could break your site or cause other problems. Backups can ensure that you can quickly revert to a working copy of your site when an issue crops up.

Step 1: To disable PHP execution in the Uploads folder, simply create a .htaccess file in the Upload folder. You can find the folder in wp-content under public_html.

PHP execution, directory browsing

Step 2: Now open notepad (for Windows) or TextEdit (for Mac) to create a file. Include the following code and save this file as .htaccess (not .htaccess.txt):

# BEGIN WordPress
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L] </IfModule>
 # END WordPress

Step 3: Save the code and upload the file in the Upload folder.

PHP execution, directory browsing

Step 4: Now you have a new .htaccess file in the Upload folder. Right-click and select Edit. Place the following piece of code in your brand new .htaccess file.

<FilesMatch “\.(php|php\.)$”> 

Order Allow,Deny 

Deny from all 


In the image below, we placed the code in our .htaccess file.   

PHP execution, directory browsing

This ensures that any file having “PHP” will be caught and prevented from execution. If a hacker manages to upload a file like “mailciousPHPFileDisguisedAsJPEFfile.php.jpg”, it’ll be blocked from execution.

For maximum security, you can add the codes to .htaccess files of plugin and themes folder as well.

Manually disabling PHP execution is a bit risky. One must tread carefully in the File Manager. A single misstep can cause serious damage to your site. It is easier and less risky to disable PHP execution using a plugin. MalCare Security Service comes with a Site Hardening features that allows users to Block PHP Execution.

PHP execution, directory browsing

You will need your FTP details to enable this feature.

PHP execution, directory browsing

Disabling PHP execution harden’s your site’s security but we can go one step further disable directory browsing.

Stop Directory Browsing: Why & How?

Sometimes a visitor can easily view the directory listing a WordPress site. For instance, visitors to our website Westworld Fansite can view files listed in the wp-includes folder by simply opening “http://westworldfansite.com/wp-includes/” in the browser.

It may seem harmless but directory listing can reveal sensitive information that hackers can exploit to gain access to your site. Hence we need to hide listing. While security by obscurity is generally frowned upon, it is best to hide as much information as possible. The less the hackers know about you, the less likely they are to attack you.

PHP execution, directory browsing

To harden our site security, we decided to disable directory browsing by placing the following code in the .htaccess file.

Remember to take backups of your site before modifying the .htaccess files. One mistake can cause major problems on your site. Backups will ensure that you can quickly revert to a working copy of your site when an issue crops up.

As remember to edit the .htaccess file of the directory that you want users to prevent browsing. For instance, you want to protect the folder wp-include, place the following line in the .htaccess file of the folder wp-include:

Options All –Indexes

After saving the code, we tried to view the directory listing and a 403 error page appeared.

PHP execution, directory browsing

Over to You

Disabling PHP execution and directory browsing can definitely improve your website security but it’s just one of the many ways to secure a WordPress site from hack attempts. A few other security measures that you can take include using a security plugin, using an SSL certificate, using a unique and strong username and password, implementing HTTP authentication and two-factor authentication among other things.

Sophia Lawrence,

Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap