Disable file execution in the WordPress uploads folder

In this guide, we show you how to disable file execution in the uploads folder for WordPress.

The uploads folder is where your site's images and other media files are stored, which means that it needs to be writable. However, because it is writable, it can be abused by hackers, who can use it to upload and execute malware.

By disabling file execution you don't block the uploading of new files, but the uploaded files won't execute, meaning that hackers can't exploit them.

• Step 1 - Go to the uploads folder in File Manager
• Step 2 - Create a .htaccess file
• Step 3 - Edit the .htaccess file
• Step 4 - Paste in the code and Save

Step 1 - Go to the uploads folder in File Manager

1. Log into the one.com Control Panel.
2. Open File Manager under Files & Security.
3. Navigate to wp-content > uploads within your WordPress installation.

Step 2 - Create a .htaccess file

1. Click the arrow, next to the + upload button in the top-left corner.
2. Select New other file in the drop-down menu.
3. Name the file .htaccess.

Note: If a .htaccess file already exists in the uploads folder, you don't need to create a new one. Simply add the code to the existing file, either at the top or the bottom.

Step 3 - Edit the .htaccess file

1. Select the .htaccess file by checking the box in front of it.
2. Click Edit in the top menu bar, towards the middle of your screen.

Step 4 - Paste in the code and Save

1. Paste in the following code:

# Block executables
<FilesMatch "\.(php|phtml|php3|php4|php5|pl|py|jsp|asp|html|htm|shtml|sh|cgi|suspected)$">
    deny from all
</FilesMatch>

2. Click Save in the top menu bar.

That was all!

Related articles:

• Change the file permissions via an FTP client
• Change the table prefix for WordPress