Disable PHP Execution & Directory Browsing for Better WordPress Security

In keeping your site safe, WordPress files and folders play a crucial role. Setting them correctly after WordPress activation can be one of the main goals. Setting proper authorization on who can see which files and what activities a user can perform can greatly boost the security status of your site. We’ll explore how disabling both PHP execution and directory browsing will boost the protection of your site in this article.

Disable PHP Execution: Why & How?

Any files in WordPress, such as Uploads or Themes or Plugins, may be written by design. This form of authorization requires photographs and videos to be posted to the web by users. Or on a platform to add themes and plugins. New files are saved in their respective directories each time we add a plugin or a theme. If the Theme and Plugins files were not writable, this would not be possible.

The ability to conveniently configure a site with the aid of themes and plugins is one of the reasons that many individuals enjoy using WordPress to create their pages. Anyone can instal any theme or plugin on their website and by default, the themes and plugin files can be written. Unfortunately, however, this kind of permission still opens up doors for hack attacks such as phishing attacks, SEO spams, brute force attacks, etc. Hackers can take advantage of a malicious script that can be run remotely and publish it. This will help them navigate your website in full or even ruin your website.

The Mailpoet Hack allowed hackers to upload a malicious PHP code to the Upload folder they were running to gain leverage of the website.

Removing writing consent is not easy so you can’t upload photos or even add extensions and themes to your web. But by preventing PHP execution, all you can do is decrease the scope of a successful attack. This will revoke the authorization to run in particular files.

Placing a special code in the .htacess file of the particular folder where you want to disable PHP execution is an easy way to disable PHP execution.

Note: Take copies of your site until files are changed. A single mistake could destroy your site or cause other problems in the move we are going to follow. Backups should guarantee that when a problem occurs, you can easily return to a functioning copy of the web.

Step 1: Simply build the .htaccess file in the Upload folder to disable PHP execution in the Uploads folder. In wp-content, the folder can be found under public html.


Step 2: Now open notepad (for Windows) or TextEdit (for Mac) to create a file. Include the following code and save this file as .htaccess (not .htaccess.txt):

# BEGIN WordPress
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L] </IfModule>
 # END WordPress

Step 3: Save the code to the upload folder and upload the file.
disable-PHP-execution-upload.pngStep 4: You now have a new file with .htaccess in the Upload folder. Right-click, then pick the Edit button. In your brand new .htaccess file, put the following piece of code.

<FilesMatch “\.(php|php\.)$”> 

Order Allow,Deny 

Deny from all 


In the image below, we placed the code in our .htaccess file.


This means that the execution of every file with “PHP” is caught and stopped. If a file like “mailciousPHPFileDisguisedAsJPEFfile.php.jpg” will be submitted by a hacker, it will be blocked from execution.

You can also apply codes to the .htaccess plugin and theme folder files for optimal security.

It is a bit dangerous to manually disable PHP execution. In the File Manager, one must tread carefully. A single misstep will cause your site to suffer severe harm. Disabling PHP execution using a plugin is faster and less costly. MalCare Protection Service comes with a Site Hardening feature that enables PHP execution to be disabled by users.


You will need your FTP details to enable this feature.

FTP-details-to-disable-PHP-executionDisabling PHP execution is the security of your website, but we will prevent directory browsing a step further.

Stop Directory Browsing: Why & How?

The directory listing a WordPress site can often be easily accessed by a tourist. For example, by simply opening “http:/westworldfansite.com/wp-includes/” in the browser, visitors to our Westworld Fansite website will access files specified in the wp-includes section.

It can seem innocuous, but listing directories will expose confidential details that can be used by hackers to obtain access to your site. So we need to cover the list. Although secrecy by anonymity is usually frowned upon, it is safer to cover as much data as possible. The fewer hackers know you, the less likely you are to be targeted by them.


We agreed to disable directory browsing to harden the protection of our site by putting the following code in the .htaccess format.

Before changing the .htaccess files, note to take backups of the web. On your web, one error will trigger big issues. Backups can mean that when a problem occurs, you can easily return to a functioning copy of the web.

Remember to change the .htaccess archive file that you want to block users from browsing. For example, if you wish to secure the wp-include folder, put the following line in the wp-include folder’s .htaccess file:

Options All –Indexes

After saving the code, we tried to view the directory listing and a 403 error page appeared.


Over to You

It will certainly boost the security of your website by disabling PHP execution and directory surfing, but it is only one of the ways to protect a WordPress platform from hacking attempts. Using a security plugin, using an SSL certificate, using a special and strong username and password, introducing HTTP authentication and two-factor authentication, among other items, are some of the other security steps that you can take.