Pagely Guide
Disable PHP Execution & Directory Browsing in WordPress
Table of Contents
Introduction
With so many threats out there, WordPress site security should be a top priority for site owners. Hackers often exploit vulnerabilities through PHP execution or by gaining access to a site’s directory structure to uncover weak points. One effective way to protect your site is by restricting PHP from running in vulnerable folders and disabling directory browsing. This guide will walk you through these steps to help secure your WordPress site, so you can feel confident that it’s well-protected.
Why Disable PHP Execution and Directory Browsing?
PHP Execution:
PHP is the backbone of many dynamic features in content management systems like WordPress. However, leaving PHP execution enabled in folders like /wp-content/uploads/ can open the door for hackers to upload and execute harmful scripts. Disabling PHP execution in non-essential folders reduces this risk significantly.
Directory Browsing:
Directory browsing exposes your site’s folder structure and contents, making it easier for malicious actors to locate sensitive files, such as backups or configuration files. By disabling directory browsing, you keep your site’s structure private and better protected.
Step 1: Preparing Your Site – Backing Up Your Files
Before making any changes to your site files, create a backup to protect your data if you need to restore it later.
1- Backup Using cPanel:
1- Backup with a Plugin:
Step 2: Disabling PHP Execution in WordPress Directories
To disable PHP execution in certain directories, we will modify the .htaccess file, commonly used on Apache servers.
2.1- Backup Using cPanel:
Access Your Site Files:
Use an FTP client (e.g., FileZilla) or your hosting provider’s file manager to access the root directory of your WordPress site.
Navigate to Vulnerable Directories:
Target directories where PHP execution isn’t necessary, such as /wp-content/uploads/ and /wp-includes/.
Create or Edit the .htaccess File:
Inside each target directory, create a new file named .htaccess if it doesn’t exist. Open this file in a text editor and add the following code:
Save and Upload:
Save the file and upload it to the directory. Repeat for each directory where PHP execution should be blocked.
Confirm Changes:
To verify, try accessing a PHP file in the protected directory (e.g., yoursite.com/wp-content/uploads/test.php). You should see a 403 Forbidden error.
Tip: If you see an error or your site malfunctions, revert to your backup, check the .htaccess syntax, or consult your hosting provider.
Step 3: Disabling Directory Browsing in WordPress
Directory browsing allows users to see the contents of a directory, which is often risky. Here’s how to disable it.
3.1 Disabling Directory Browsing with .htaccess
Use FTP or your hosting’s file manager to access the root directory of your WordPress site.
If a .htaccess file exists, open it for editing. Otherwise, create a new .htaccess file.
Paste this line at the end of the file:
Save and upload the updated .htaccess file to your root directory.
Test by visiting a directory on your site (e.g., yoursite.com/wp-content/). A 403 Forbidden error confirms directory browsing is disabled.
Tip: If you see an error or your site malfunctions, revert to your backup, check the .htaccess syntax, or consult your hosting provider.
Step 4: Using Plugins to Disable PHP Execution and Directory Browsing
For those preferring a no-code approach, plugins offer a straightforward solution.
4.1 Configuring a Security Plugin
Plugins like Sucuri Security, iThemes Security, or All In One WP Security provide the necessary settings.
– Install your preferred plugin via Plugins > Add New in the WordPress dashboard.
– Activate the plugin, and access its settings.
– In Sucuri Security:
Go to Settings > Hardening and select Block PHP Files in Uploads Directory and Disable Directory Browsing.
– In iThemes Security:
Go to Security Settings and find System Tweaks. Check options like PHP in Uploads and Directory Browsing to disable them.
Note: Each plugin’s settings may differ slightly. Always refer to the plugin’s documentation for specifics on enabling these features.
Step 5: Troubleshooting Common Errors
Errors can sometimes occur when editing .htaccess. Here are some common issues and solutions:
- Syntax Errors: Double-check the .htaccess syntax. A misplaced character could prevent the file from working.
- File Permission Issues: Ensure the .htaccess file has the correct permissions (usually 644 or 755).
- Conflicting Plugins: Some plugins might conflict with .htaccess settings. If you encounter issues, try disabling plugins one by one.
- Reverting Changes: If all else fails, restore from your backup and try again.
Tip: Reach out to your hosting provider if errors persist. They can offer insights or resolve issues directly.
Step 6: Additional Security Measures
To further secure your WordPress site, consider these best practices:
Use Strong Passwords and Two-Factor Authentication (2FA):
Secure admin logins with strong, unique passwords and enable 2FA for added protection.
Install a Web Application Firewall (WAF):
A firewall like Sucuri’s WAF filters malicious traffic, blocks threats, and shields your site from vulnerabilities.
Keep WordPress and Plugins Updated:
Outdated themes or plugins can introduce security flaws, so regularly update your site components.
Regular Backups:
Backup your site at regular intervals to ensure data can be restored if an incident occurs.
Conclusion
Taking steps like disabling directory browsing and blocking PHP execution in non-essential directories can greatly reduce security risks and prevent unauthorized access to your WordPress site. These straightforward safety practices provide a strong foundation for a more secure site and can help limit unwanted attempts to breach it.
For even more comprehensive protection, consider using Sucuri’s solutions, including malware scanning and firewalls. Visit Sucuri.net to explore additional ways to safeguard your website. We’re here to help you protect your site so you can focus on what matters most.
