How to Protect the wp-content Folder of Your WordPress Website

How to Protect the wp-content Folder of Your WordPress Website

It's no magic that WordPress users always remain concerned about website security. The total number of WordPress users is increasing rapidly, and so make the threats.

In the last couple of years, people have faced severe damage to their websites because of some possible vulnerabilities, I am sure, you don't want to have any.

Ever since I started using WordPress, I have come across many ups and downs, which taught me to take care of my website. You should also have a clear mind to grasp the WordPress security guide.

As you all know, whenever you upload an image, video, pdf, or any other media file, it goes to the media library, which means in the wp-content/uploads directory of WordPress.

If you are a tech-savvy person, you may already know that WordPress is a PHP-based Content Management System and wp-content/uploads require PHP execution every time someone tries to upload a media file.

It's vital to stop this PHP execution to secure this directory.

Note: This topic is about protecting the wp-content/uploads folder.

You may have a question as if why does the title show only wp-content folder, well, it's because Uploads directory resides inside it and you can't stop PHP execution for every directory in wp-content, it consists plugins which may require PHP access.

To keep the website running, you should protect only the UPLOADS directory.

Where Should You Add the Code

As you already know, .htaccess is one of the most efficient files, which controls tons of task of a WordPress website, you need to use this file.

But there is a twist; you're not going to modify the main .htaccess file, you have to create a new file in the wp-content/uploads directory.

Whenever you aim to apply an action to a specific directory, you require a new file instead of using the core file.

Let's start the process.

Step 1

Login to your cPanel account offered by your web hosting company and open the File Manager, you can find it under Files.

How to Protect the wp-content Folder of Your WordPress Website

You should know, the data of your website is hosted in a file manager.

Step 2

Open the root directory/public_html from the vertical navigation menu of cPanel and search for wp-content.

How to Protect the wp-content Folder of Your WordPress Website

Click to open.

Step 3

As discussed earlier, the folder consists of many directories from which, you need to open the uploads folder.

How to Protect the wp-content Folder of Your WordPress Website

The UPLOADS directory has all the media files of your WordPress website. You can see the arrangement after opening it.

Step 4

You can see no sign of the .htaccess file here. To create a new file, click on File showing at the top-left corner of the main navigation menu of cPanel.

How to Protect the wp-content Folder of Your WordPress Website

Step 5

A popup appears, which require you add the file name. Make sure you don't forget the dot as a prefix of the .htaccess file.

How to Protect the wp-content Folder of Your WordPress Website

You can see the path of your wp-content/uploads directory. I must tell you that if you run a website on a subdomain, the path may be different.

When you host an addon domain or multiple websites at the same web hosting server, you need to create the different folders to keep the data separated.

For now, click on the Create New File button.

Step 6

Refresh the page, and you can see the .htaccess file. As always, you need to right-click to edit it.

How to Protect the wp-content Folder of Your WordPress Website

A new tab appears to you. You can see an empty file because it's just a text file, unlike the main .htaccess file, it doesn't contain the rewrite rules.

Add this code.

# Kill PHP Execution
<Files ~ ".ph(?:p[345]?|t|tml)$">
deny from all

Click Save Changes. This code will stop PHP execution in wp-content/uploads directory.

Note: It's important to check your website after adding the code, if your website behaves differently, you should remove the code.

It's because if you use a custom WordPress theme, it's possible that your web developer has used the media files available in the WordPress media library, which require to execute PHP.

But if you use any pre-built WordPress theme, it works perfectly. Let's say you use any of the free themes available in the WordPress theme repository; you don't need to worry.

If you buy any theme from ThemeForest or any premium WordPress theme seller, it will work great. The only problem can occur when you hire a web developer to build a custom theme for your website.

Make sure you talk to them.

If everything works fine for you, congrats, you have successfully disabled PHP execution for your wp-content/uploads directory.

I Hope You Have Understood the Concept of Securing the Directory

Every time we talk about website security, people start to fret. Well, there is nothing to be afraid of. To enhance your website's safety, you must perceive the truth behind website hacking.

There may be many vulnerabilities inside your website and its web server, it's essential to have a look and fix them. Stopping PHP execution is one of the best practices.


Adding the code mentioned above will help you secure the uploads directory. I am sure; you have understood the concept of website security.

Don't forget to check your website's behavior after adding the code in the .htaccess file, if something goes wrong, remove the code.

I suggest you to always keep the backup of your website and its database before making any changes.

Check out these top 3 WordPress hosting services:

Was this article helpful?