Block PHP files with the Sucuri Security plugin
Malicious visitors can compromise your WordPress website if they manage to add and execute malicious PHP files. The following steps will help protect your site by blocking PHP execution in certain directories.
Required: You must install the Sucuri Security plugin before you follow these steps.
- Sign in to WordPress.
- In the left-side menu, select Sucuri Security > Settings.
- Select the Hardening tab.
- Find the section labeled Block PHP Files in Uploads Directory.
- If the section is red, select Apply Hardening. If it’s green, the hardening is already applied.
- Repeat the previous two steps for the Block PHP Files in WP-CONTENT Directory and Block PHP Files in WP-INCLUDES Directory sections.
Test your site to ensure these settings are not interfering with your theme and plugins. If blocking some files causes issues, allow them in the Sucuri Security plugin.
Note: If you can't apply or revert hardening for this feature, it may already be handled by your hosting platform.
Related steps
Protect your website further by activating the other Sucuri Security options:
- Make your WordPress version private with the Sucuri Security plugin
- Remove the WordPress readme file with the Sucuri Security plugin
- Disable the theme and plugin editor in WordPress with the Sucuri Security plugin
More info
- Use the Sucuri Security plugin to protect my WordPress website
- Secure my WordPress site
- If you don't want to deal with website security yourself, we also have a GoDaddy paid website security service that can take care of that for you. The service also includes site cleanup.
