Restrict Direct Access to WordPress PHP Files

A comprehensive guide on how to restrict the direct access to WordPress PHP files.

Emmad avatar
Written by Emmad
Updated over a week ago

Malicious actors usually exploit vulnerabilities in themes and plugins present in wp-content and wp-includes directories of your WordPress application. They use them to upload and execute backdoor files and malware to your website. Therefore, we recommend restricting direct access and execution of PHP files. It helps to block remote access and execution of any PHP file present in these directories and offers protection to your website against such malicious attacks.


Backdoor refers to methods of gaining illicit access to a website through means that bypass authentication methods, such as file injections using PHP.

How to Restrict Direct Access to WordPress PHP Files

Direct access to PHP files is disabled by default if you launch a new application. If your application has direct access enabled and you want to disable it, you can follow these steps.

Securing WordPress — Navigate to Application Settings

Log in to your Cloudways Platform using your credentials.

  1. From the top menu bar, open Servers.

  2. Then, choose the server where your desired application is deployed.

3. Next, click www.

4. Choose your application’s name.

5. Under Application Management, select Application Settings.

Securing WordPress — Restrict Direct Access to PHP Files

  1. Scroll down in Application Settings and Disable Direct PHP Files Access. ‘Disable’ means that direct access to PHP files is restricted; whereas, ‘Enable’ means that direct access to PHP files is allowed.

2. You will be prompted here about disabling direct access to PHP files. Click OK to confirm.

That’s it! We hope this tutorial was helpful. If you need any help, then feel free to search your query on Cloudways Support Center or contact us via chat (Need a Hand > Send us a Message). Alternatively, you can also create a support ticket.

Did this answer your question?