Disable PHP File Execution in Specific WordPress Folders | WordPress.org

sacconi
(@sacconi)

2 years, 6 months ago
I have red a page about security. I wanted to ask you if you’d recomend to me the following:

“Hackers may want to install and execute a PHP script in your WordPress folders. WordPress is written mainly in PHP, which means you cannot disable that in all WordPress folders.

However, there are some folders that don’t need any PHP scripts, such as your WordPress uploads folder located at /wp-content/uploads.

You can safely disable PHP execution in the uploads folder, which is a common place that hackers use to hide backdoor files.

First, you need to open a text editor like Notepad on your computer and paste the following code:
```
<Files *.php>
deny from all
</Files>
```
Now, save this file as .htaccess and upload it to the /wp-content/uploads/ folders on your website using an FTP client.”

Is this code still usefull and updated?

I would also like to add that at the moment there are a lot of folders in this directory but I think they are of no use, they often have the name of plugins that I no longer use, I think that for security it is better to keep only what is needed, also to understand more quickly if there are malware files, I would like to be sure not to delete things useful for the functioning of the site

The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)

George Appiah
(@gappiah)

2 years, 6 months ago

Is this code still usefull and updated?

The theory is valid.

But there are a million other folders where PHP need to run, and where PHP malware could be hidden. Heck, I’ve even seen malware appended to existing WordPress core files on numerous occasions.

So this would be towards the bottom of my security plan.

And, by the way, .htaccess rules only work with the Apache webserver. I see you’re running the Nginx webserver. Unless you’re running Nginx as a reverse proxy with Apache behind it, then these rules won’t do you any good at all… you’ll need to research a way to implement the same technique on your Nginx webserver.

Good luck!
Thread Starter sacconi
(@sacconi)

2 years, 6 months ago
This should work for Nginx
```
location ~* /wp-content/.*.php$ {
	deny all;
	access_log off;
	log_not_found off;
}
```
Is it correct? Have I to put in my functions.php?

I found this code here: https://www.bjornjohansen.com/block-access-to-php-files-with-nginx
George Appiah
(@gappiah)

2 years, 6 months ago

The rules should be fine.

But this is not PHP code so don’t put it into any .php file.

This is Nginx configuration code, and should either go into your Nginx webserver’s main configuration file (nginx.conf), or another .conf file that’s included/loaded by the main configuration file.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Disable PHP File Execution in Specific WordPress Folders’ is closed to new replies.

In: Developing with WordPress
3 replies
2 participants
Last reply from: George Appiah
Last activity: 2 years, 6 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics