{"id":8574,"date":"2025-05-17T06:10:54","date_gmt":"2025-05-17T06:10:54","guid":{"rendered":"https:\/\/pokharahost.com\/blog\/?p=8574"},"modified":"2025-06-06T06:12:22","modified_gmt":"2025-06-06T06:12:22","slug":"how-to-disable-php-execution-in-unused-folders","status":"publish","type":"post","link":"https:\/\/pokharahost.com\/blog\/how-to-disable-php-execution-in-unused-folders\/","title":{"rendered":"How to Disable PHP Execution in Unused Folders"},"content":{"rendered":"\n

Web security is a critical concern for website owners, especially in Nepal\u2019s growing digital landscape. One common security vulnerability is unrestricted PHP execution<\/strong> in directories where it\u2019s not needed. Hackers often exploit this by uploading malicious scripts in folders like \/uploads\/<\/code> or \/cache\/<\/code>.<\/p>\n\n\n\n

In this guide, we\u2019ll show you how to disable PHP execution in unused folders<\/strong> to strengthen your website\u2019s security. Whether you\u2019re using shared hosting, VPS, or a dedicated server<\/strong>, these methods will help protect your site from attacks.<\/p>\n\n\n\n

Why Disable PHP Execution in Certain Folders?<\/strong><\/h2>\n\n\n\n

1. Prevent Malicious File Uploads<\/strong><\/h3>\n\n\n\n

Attackers often inject PHP scripts into folders like \/uploads\/<\/code> (common in WordPress). Disabling PHP execution blocks such exploits.<\/p>\n\n\n\n

2. Improve Server Security<\/strong><\/h3>\n\n\n\n

Reducing unnecessary PHP execution limits potential backdoors for hackers.<\/p>\n\n\n\n

3. Comply with Security Best Practices<\/strong><\/h3>\n\n\n\n

Many security audits recommend disabling PHP in non-essential directories.<\/p>\n\n\n\n

4. Protect Sensitive Data<\/strong><\/h3>\n\n\n\n

Prevents attackers from running PHP scripts that could access databases or config files.<\/p>\n\n\n\n

Methods to Disable PHP Execution in Unused Folders<\/strong><\/h2>\n\n\n\n

Method 1: Using .htaccess (For Apache Servers)<\/strong><\/h3>\n\n\n\n

Most Nepal web hosting<\/strong> providers (including PokharaHost) use Apache<\/strong>, which supports .htaccess<\/code> for directory-level security.<\/p>\n\n\n\n

Steps:<\/strong><\/h4>\n\n\n\n
    \n
  1. Access your website files<\/strong>\u00a0via\u00a0cPanel File Manager<\/strong>\u00a0or\u00a0FTP<\/strong>.<\/li>\n\n\n\n
  2. Navigate to the folder<\/strong>\u00a0where you want to disable PHP (e.g.,\u00a0\/public_html\/wp-content\/uploads\/<\/code>).<\/li>\n\n\n\n
  3. Create or edit<\/strong>\u00a0the\u00a0.htaccess<\/code>\u00a0file.<\/li>\n\n\n\n
  4. Add this code:<\/strong><\/li>\n<\/ol>\n\n\n\n

    apache<\/p>\n\n\n\n

    Copy<\/p>\n\n\n\n

    Download<\/p>\n\n\n\n

    <Files *.php>\n    Deny from all\n<\/Files><\/pre>\n\n\n\n
      \n
    1. Save the file.<\/strong>\u00a0PHP execution is now blocked in that folder.<\/li>\n<\/ol>\n\n\n\n
      \u2714 Works on:<\/strong> Shared hosting, VPS (Apache)
      \u2714 Best for:<\/strong> WordPress sites, Joomla, and other CMS platforms<\/p>\n\n\n\n
      Method 2: Using nginx Configuration (For VPS\/Dedicated Servers)<\/strong><\/h3>\n\n\n\n
      If your Nepal hosting<\/strong> uses nginx<\/strong>, you can disable PHP execution via server blocks.<\/p>\n\n\n\n
      Steps:<\/strong><\/h4>\n\n\n\n
        \n
      1. SSH into your server<\/strong>\u00a0(if you have root access).<\/li>\n\n\n\n
      2. Edit your nginx configuration<\/strong>\u00a0(usually in\u00a0\/etc\/nginx\/sites-available\/your-site.conf<\/code>).<\/li>\n\n\n\n
      3. Add this inside the server block:<\/strong><\/li>\n<\/ol>\n\n\n\n
        nginx<\/p>\n\n\n\n
        Copy<\/p>\n\n\n\n
        Download<\/p>\n\n\n\n
        location ~* ^\/uploads\/.*\\.php$ {\n    deny all;\n    return 403;\n}<\/pre>\n\n\n\n
          \n
        1. Reload nginx:<\/strong><\/li>\n<\/ol>\n\n\n\n
          bash<\/p>\n\n\n\n
          Copy<\/p>\n\n\n\n
          Download<\/p>\n\n\n\n
          sudo systemctl reload nginx<\/pre>\n\n\n\n
          \u2714 Works on:<\/strong> VPS, Cloud, Dedicated servers
          \u2714 Best for:<\/strong> Advanced users managing their own servers<\/p>\n\n\n\n
          Method 3: Disable PHP via cPanel (For Shared Hosting<\/a> Users)<\/strong><\/h3>\n\n\n\n
          Some Nepal web hosting<\/strong> providers allow PHP disabling via cPanel\u2019s Directory Privacy<\/strong> settings.<\/p>\n\n\n\n
          Steps:<\/strong><\/h4>\n\n\n\n
            \n
          1. Log in to\u00a0cPanel<\/strong>.<\/li>\n\n\n\n
          2. Go to\u00a0File Manager<\/strong>\u00a0\u2192 Select the target folder.<\/li>\n\n\n\n
          3. Click\u00a0Settings<\/strong>\u00a0\u2192 Check\u00a0“Disable scripts execution”<\/strong>.<\/li>\n\n\n\n
          4. Save changes.<\/li>\n<\/ol>\n\n\n\n
            \u2714 Works on:<\/strong> Shared hosting with cPanel
            \u2714 Best for:<\/strong> Beginners who don\u2019t want to edit code<\/p>\n\n\n\n
            Method 4: Using PHP.ini Restrictions (For Advanced Users)<\/strong><\/h3>\n\n\n\n
            If you have custom PHP.ini access<\/strong>, you can disable PHP execution per directory.<\/p>\n\n\n\n
            Steps:<\/strong><\/h4>\n\n\n\n
              \n
            1. Create a\u00a0php.ini<\/code>\u00a0file<\/strong>\u00a0in the folder where PHP should be disabled.<\/li>\n\n\n\n
            2. Add this line:<\/strong><\/li>\n<\/ol>\n\n\n\n
              ini<\/p>\n\n\n\n
              Copy<\/p>\n\n\n\n
              Download<\/p>\n\n\n\n
              engine = off<\/pre>\n\n\n\n
                \n
              1. Save & upload<\/strong>\u00a0the file.<\/li>\n<\/ol>\n\n\n\n
                \u2714 Works on:<\/strong> VPS, Dedicated servers
                \u2714 Best for:<\/strong> Developers with server access<\/p>\n\n\n\n
                Testing If PHP Execution Is Disabled<\/strong><\/h2>\n\n\n\n
                After applying any method, upload a test PHP file<\/strong> (e.g., test.php<\/code> with <?php phpinfo(); ?><\/code>) to the folder.<\/p>\n\n\n\n