How do I completely disable PHP or other scripts from running in a directory on my site?

Some third-party script software allows other people to upload files to directories (folders) on your website. For example, you could install photo gallery software that allows your friends to upload photographs.

If you install software that allows this, the software must be careful to check that the uploaded files aren’t actually scripts that send spam or perform other malicious actions. Unfortunately, we’ve heard of bugs in some software that can allow malicious files to be uploaded.

If you use software that allows uploads, you can protect yourself by preventing the server from “executing” (running) any file in that directory as any kind of script.

To do this, add this line to a .htaccess file in the directory where uploaded files are located:

SetHandler default-handler

If you do this, and someone manages to upload (for example) a “.php” file to that directory, the server will refuse to run it.

Is this the same as just disabling PHP?

This trick is similar to another suggestion you might see of adding “php_flag engine off” to a .htaccess file. However, php_flag won’t work on many servers, including ours, and it doesn’t protect you against people uploading other kinds of scripts.

Using “SetHandler default-handler” works much more reliably.

Can I use this to protect WordPress?

Yes, some users of the WordPress blog software use this method to protect the “wp-content/uploads” directory.

Can’t I put files in a directory where the Web server won't see them at all?

Yes, this is another option. If you configure your script to place new files in a directory under your home directory, the Web server won’t even be able to see the files in the first place.