Malicious actors usually exploit vulnerabilities in themes and plugins present in wp-content and wp-includes directories of your WordPress application. They use them to upload and execute backdoor files and malware to your website. Therefore, we recommend restricting direct access and execution of PHP files. It helps to block remote access and execution of any PHP file present in these directories and offers protection to your website against such malicious attacks.
Backdoor refers to methods of gaining illicit access to a website through means that bypass authentication methods, such as file injections using PHP.
How to Restrict Direct Access to WordPress PHP Files
Direct access to PHP files is disabled by default if you launch a new application. If your application has direct access enabled and you want to disable it, you can follow these steps.
Securing WordPress — Navigate to Application Settings
Log in to your Cloudways Platform using your credentials.
From the top menu bar, open Servers.
Then, choose the server where your desired application is deployed.
3. Next, click www.
4. Choose your application’s name.
5. Under Application Management, select Application Settings.
Securing WordPress — Restrict Direct Access to PHP Files
Scroll down in Application Settings and Disable Direct PHP Files Access. ‘Disable’ means that direct access to PHP files is restricted; whereas, ‘Enable’ means that direct access to PHP files is allowed.
2. You will be prompted here about disabling direct access to PHP files. Click OK to confirm.