Monday, June 16, 2025
Subscribe
Get .COM 1599
Security & Performance

How to Disable PHP Execution in Unused Folders

By Nalesh Bhandari
web hosting

Share

Web security is a critical concern for website owners, especially in Nepal’s growing digital landscape. One common security vulnerability is unrestricted PHP execution in directories where it’s not needed. Hackers often exploit this by uploading malicious scripts in folders like /uploads/ or /cache/.

In this guide, we’ll show you how to disable PHP execution in unused folders to strengthen your website’s security. Whether you’re using shared hosting, VPS, or a dedicated server, these methods will help protect your site from attacks.

Why Disable PHP Execution in Certain Folders?

1. Prevent Malicious File Uploads

Attackers often inject PHP scripts into folders like /uploads/ (common in WordPress). Disabling PHP execution blocks such exploits.

2. Improve Server Security

Reducing unnecessary PHP execution limits potential backdoors for hackers.

3. Comply with Security Best Practices

Many security audits recommend disabling PHP in non-essential directories.

4. Protect Sensitive Data

Prevents attackers from running PHP scripts that could access databases or config files.

Methods to Disable PHP Execution in Unused Folders

Method 1: Using .htaccess (For Apache Servers)

Most Nepal web hosting providers (including PokharaHost) use Apache, which supports .htaccess for directory-level security.

Steps:

  1. Access your website files via cPanel File Manager or FTP.
  2. Navigate to the folder where you want to disable PHP (e.g., /public_html/wp-content/uploads/).
  3. Create or edit the .htaccess file.
  4. Add this code:

apache

Copy

Download

<Files *.php>
    Deny from all
</Files>
  1. Save the file. PHP execution is now blocked in that folder.

✔ Works on: Shared hosting, VPS (Apache)
✔ Best for: WordPress sites, Joomla, and other CMS platforms

Method 2: Using nginx Configuration (For VPS/Dedicated Servers)

If your Nepal hosting uses nginx, you can disable PHP execution via server blocks.

Steps:

  1. SSH into your server (if you have root access).
  2. Edit your nginx configuration (usually in /etc/nginx/sites-available/your-site.conf).
  3. Add this inside the server block:

nginx

Copy

Download

location ~* ^/uploads/.*\.php$ {
    deny all;
    return 403;
}
  1. Reload nginx:

bash

Copy

Download

sudo systemctl reload nginx

✔ Works on: VPS, Cloud, Dedicated servers
✔ Best for: Advanced users managing their own servers

Method 3: Disable PHP via cPanel (For Shared Hosting Users)

Some Nepal web hosting providers allow PHP disabling via cPanel’s Directory Privacy settings.

Steps:

  1. Log in to cPanel.
  2. Go to File Manager → Select the target folder.
  3. Click Settings → Check “Disable scripts execution”.
  4. Save changes.

✔ Works on: Shared hosting with cPanel
✔ Best for: Beginners who don’t want to edit code

Method 4: Using PHP.ini Restrictions (For Advanced Users)

If you have custom PHP.ini access, you can disable PHP execution per directory.

Steps:

  1. Create a php.ini file in the folder where PHP should be disabled.
  2. Add this line:

ini

Copy

Download

engine = off
  1. Save & upload the file.

✔ Works on: VPS, Dedicated servers
✔ Best for: Developers with server access

Testing If PHP Execution Is Disabled

After applying any method, upload a test PHP file (e.g., test.php with <?php phpinfo(); ?>) to the folder.

  • If it displays PHP info → PHP is still enabled.
  • If it shows a 403 error or doesn’t execute → Success!

Bonus: Automating Security for WordPress Users

If you’re using WordPress on Nepal hosting, you can automate PHP disabling in risky folders with plugins like:

  • Wordfence Security (Firewall + File Protection)
  • Sucuri Security (Malware Scanner + Hardening)
  • All In One WP Security & Firewall

These plugins can auto-block PHP execution in /wp-content/uploads/ and other sensitive areas.

Why Choose PokharaHost for Secure Web Hosting in Nepal?

PokharaHost provides secure, high-performance hosting with:

✅ Free SSL Certificates (HTTPS encryption)
✅ Malware Scanning & Removal
✅ Automatic Backups
✅ 24/7 Security Monitoring
✅ Expert Support for Hardening Your Site

Upgrade to a safer hosting environment today!

Final Thoughts

Disabling PHP execution in unused folders is a simple yet powerful security measure for any website hosted in Nepal. Whether you’re on shared hosting, VPS, or a dedicated server, applying these methods will reduce hacking risks significantly.

Key Takeaways:

🔒 Use .htaccess for Apache-based Nepal web hosting.
🔒 Configure nginx rules if you’re on a VPS.
🔒 Use cPanel’s directory restrictions for easy setup.
🔒 Test changes to ensure PHP is blocked.
🔒 Use security plugins for WordPress automation.

By following this guide, you’ll strengthen your website against common attacks and keep your data safe.

📢 Need help securing your website? Contact PokharaHost’s support team today!

Nalesh Bhandari
Nalesh Bhandarihttps://pokharahost.com/blog
Nalesh Bhandari is a content writer at Pokhara Host, specializing in web hosting, digital marketing, and technology. With years of experience in the industry, Nalesh is passionate about helping businesses and individuals make informed decisions about their online presence.

Table of contents

Read more

Local News

Pokhara Host - Make Hosting Even More Great! Get Cheap Domains & Best-in-Class Hosting in Nepal. Start Now!

Our Services

Community

About Us

Copyright 2025 PokharaHost. All Rights Reserved