Security, WordPress

Disable php script execution in wordpress upload folders using htaccess

Written by Anup Kumar
Posted on - 5 min read

Checking each plugin security is very difficult while working with wordpress. It required great skills of PHP language. So here I’m (Anup) to help you guys how you can disable execution of PHP or any other script.

How attackers use this to install malware in your website?

Each plugin and wordpress in itself upload all media files into upload folder. Sometimes you install some plugin and they install some executable script in your upload media.
e.g for this blog we have directory:
…/blog/frontend_skin/uploads

And a new plugin install a script
…/blog/frontend_skin/uploads/anup.php

A single php script is enough to create anything in your website – even a file manager can be write in single php script. But what if this php file works like an HTML file.

Yes we can stop by simply installing a .htaccess file in upload folder.

How to install .htaccess to disable disable php script execution in wordpress upload

  1. Choose upload folder or anywhere (folder) where you want to stop php script execution like. Make sure not to install in root folder of your website. Otherwise your website will stop working. 
  2. In my case I selected frontend_skin/uploads folder
  3. Create a test.php or any file in this folder like in my case I created anup.php in in your folder. and paste following code
    <?php 
    echo "Hello";

    so final URL to access this file is – http://anups-air/wp/frontend_skin/uploads/anup.php

  4. Hit your URL in browser – you should be executed file code – means <?php and echo word should be removed. like I’m getting following output:
  5. Now let’s move to disable it. Create .htaccess file in frontend_skin/uploads/ folder
    <Files *.php>
    order deny,allow
    deny from all
    </Files>
  6. Now access your URL – http://anups-air/wp/frontend_skin/uploads/anup.php it should come as below:
  7. All Done

If you are still getting old output then you were unable to config properly. In this case you can take wordpress experts guide or help.

You can also comment your problem below.