: How to Secure Wordpress website using .htaccess , allowing only index.php execution access I am responsible for security of lots of shared hosting server. We have at least 500 wordpress website

@Vandalay111

You could do this, but there is very little reason to actually do it.

What it may protect against is this case:


an attacker can upload files with .php extension
to an arbitrary directory (otherwise, you could just secure that one upload directory)
but not with .htaccess extension (this would allow PHP execution via any file extension, such as png)
and they cannot overwrite existing files (which would mean they could just overwrite eg an existing index.php file)
and they cannot create subfolders (because they could upload a index.php file there)


This is a very narrow scenario. It's not impossible, so if you really think that you do need the added security, go ahead (this will not solve your spam problem though; for that, you would need to force better passwords, restrict the plugins users may install, and generally harden wordpress, also against those users). But it will likely cause more problems than it will solve, and it is not quite as easy to implement as it may seem.

For example, @Manis approach is flawed. php is not the only extension that allows the execution of php code. There is also php4, php5, pht, and so on. As it is very unlikely that an attacker can upload php files, but not php4 files, you definitely need to block those as well.

Additionally, if an attacker can upload files to arbitrary directories, they can just upload an index.php file to wp-includes (which inherits the index.php allows from the root directory). And if we can assume that attackers cannot upload files to arbitrary directories, well, then we can just protect that one directory. Because of this, it is important to limit the allow to the current directory.

Vote Up Vote Down

@Chiappetta492

I asked this question and I think, I have found the answer.

The following code to be appended in .htaccess of public_html

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

<Files index.php>
Order Allow,Deny
Allow from all
</Files>

<Files wp-login.php>
Order Allow,Deny
Allow from all
</Files>


The following code to be added in the .htaccess of wp-admin

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

<Files index.php>
Order Allow,Deny
Allow from all
</Files>
<Files admin-ajax.php>
Order Allow,Deny
Allow from all
</Files>
<Files load-styles.php>
Order Allow,Deny
Allow from all
</Files>
<Files load-scripts.php>
Order Allow,Deny
Allow from all
</Files>
<Files edit.php>
Order Allow,Deny
Allow from all
</Files>
<Files post-new.php>
Order Allow,Deny
Allow from all
</Files>
<Files edit-tags.php>
Order Allow,Deny
Allow from all
</Files>
<Files upload.php>
Order Allow,Deny
Allow from all
</Files>
<Files media-new.php>
Order Allow,Deny
Allow from all
</Files>
<Files edit-comments.php>
Order Allow,Deny
Allow from all
</Files>
<Files admin.php>
Order Allow,Deny
Allow from all
</Files>
<Files themes.php>
Order Allow,Deny
Allow from all
</Files>
<Files widgets.php>
Order Allow,Deny
Allow from all
</Files>
<Files plugins.php>
Order Allow,Deny
Allow from all
</Files>
<Files customize.php>
Order Allow,Deny
Allow from all
</Files>
<Files plugin-install.php>
Order Allow,Deny
Allow from all
</Files>
<Files plugin-editor.php>
Order Allow,Deny
Allow from all
</Files>
<Files plugin-install.php>
Order Allow,Deny
Allow from all
</Files>
<Files plugin-install.php>
Order Allow,Deny
Allow from all
</Files>


I have tested & It is working fine in WordPresss. So that we can block the execution of other uploaded malicious file.

Let me know if it is wrong, Or does it work.

Or is there any other better way to do it.

Vote Up Vote Down