Blocking PHP Execution From ALL of Your WordPress Sites Upload Folders

When looking for advise on hardening your WordPress sites many blogs recommend adding the following in a .htaccess file in each sites upload folder:

<Files *.php>
Deny from All

For those of us with a large amount of WordPress Sites, this is obviously labor prohibitive. If you have a regularized folder structure you may be able to do something like this:

<Directory /home/*/public_html/*/wp-content/uploads>
	<FilesMatch "\.(php|php\.)$">
		Order Allow,Deny
		Deny from all

And put it into a Apache configuration file as such:


And then enable it:

a2enconf block-wp-uploads-php.conf

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.