WordPress makes certain directories can be written. The WordPress folder or directory can be written by default, which means that you and authorized users can easily upload themes, add-ons and images to your website. Disabling the execution of PHP in certain directories will prevent your blog from accessing unauthorized users who can load malware on your website.
Hackers can exploit these writable directories by loading malicious PHP code in them and running them remotely to wreak havoc on their site.
A simple way to disable PHP execution is to place a special code in the .htacess file of that specific folder where you want to disable PHP execution.
We Will Create Or Edit The .htaccess File With Filezilla
WordPress has an .htaccess file in the root folder of your website. The .htaccess file is the configuration file used to edit the WordPress site settings to enable or disable additional features. The .htaccess files are automatically created in the root directory of your WordPress site.
In the event that this file does not exist, you can create one and upload it to particular directories of your blog to protect your site, /wp-includes/ and /wp-content/uploads/ directories.
<Files *.php> Order Allow,Deny Deny from all </Files>
We Will Create Or Edit The .htaccess File With cPanel
In this case we will enter the cPanel of our host.
Go to cPanel → File Manager.
We can see that in Upload there is no .htaccess file, in this case we have to create it.
At the top left we will select “File”, now in the new window we will only have to write the name of our file.
We click on the right mouse button on the file we want to edit.
We copy the code and paste it in the editor that opens.
Remember to take backups of your site before modifying the .htaccess files. One mistake can cause major problems on your site. Backups will ensure that you can quickly revert to a working copy of your site when an issue crops up.