How to Prevent Scripts and Code from Executing within your WordPress Uploads Directory

, ,
WordPress Website Security Company Naples, Florida

If an attacker is able to remotely upload a malicious file to your WordPress websites’ “wp-content/uploads/” directory, they would then have the ability to access and execute that file on your server.

How does an attacker remotely upload a malicious file? Through a known or unknown security flaw in any one of your installed plugins, themes or via the WordPress core itself. This is why our Naples WordPress Security company provides affordable WordPress care plans.

With all these potential opportunities for a security hole to open up and for a hacker to take advantage of it, we must remain vigilant. It is imperative to the reputation of your business that you do your best to secure and prevent your WordPress website from being hacked.

Within this article we will show you a technique which effectively prevents scripts and PHP code from execution from within your “uploads” directory and its “sub-directories“.


Would you like prompt assistance? If you don’t have time or are not comfortable taking the risk of adding custom code to your website, let us get this done for you now!


Preventing Scripts and Code from Executing within your WordPress Uploads Directory

The following code should be inserted into an .htaccess file and uploaded to the root of your “wp-content/uploads/” directory. This added level of protection against a hacker managing to upload PHP code into your uploads directory is well worth the trouble.


# BEGIN Disable Upload Directory Code Execution
<IfModule mod_php5.c>
php_flag engine 0
<IfModule mod_php7.c>
php_flag engine 0
AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
# //END Disable Upload Directory Code Execution


Browse through our list of other website security tips and techniques to further enhance your WordPress websites’ security.


We hope this article has helped provide you with greater security on your existing and future WordPress websites. If this was helpful please take a moment to like us on Facebook, share this on your social media or buy us a cup of coffee.


Hire us to get it done for you!

Select, WordPress Security Support, from the drop down list on the form below. We’ll help fix your hacked WordPress website and lock it down to help prevent future exploits and security issues. While no one can protect against every possible attack, we can certainly help mitigate the risk to your website and business.