WordPress Help

Block PHP files with the Sucuri Security plugin

Malicious visitors can compromise your WordPress website if they manage to add and execute malicious PHP files. The following steps will help protect your site by blocking PHP execution in certain directories.

Required: You must install the Sucuri Security plugin before you follow these steps.
  1. Sign in to WordPress.
  2. In the left-side menu, select Sucuri Security > Settings.
  3. Select the Hardening tab.
  4. Find the section labeled Block PHP Files in Uploads Directory.
  5. If the section is red, select Apply Hardening. If it’s green, the hardening is already applied.
  6. Repeat the previous two steps for the Block PHP Files in WP-CONTENT Directory and Block PHP Files in WP-INCLUDES Directory sections.

Test your site to ensure these settings are not interfering with your theme and plugins. If blocking some files causes issues, allow them in the Sucuri Security plugin.

Note: If you can't apply or revert hardening for this feature, it may already be handled by your hosting platform.

Related steps

Protect your website further by activating the other Sucuri Security options:

More info

Share this article