PHP scripts are blocked in “/wp-content/uploads” directories

This page is showing a generic answer.
To see a more detailed answer customized for you, type your domain name here:

If you were redirected you to this page, you’re probably trying to run a PHP script inside the “/wp-content/uploads” directory of a WordPress site.

By default, access to PHP scripts in that location is blocked. Most WordPress sites do not try to run PHP files there. They are often malicious scripts that have been uploaded by “hackers” taking advantage of a security bug in a WordPress plugin or theme.

How can I fix this?

If this is your site, and you intentionally want to run a PHP script in “/wp-content/uploads”, you can delete the file at /wp-content/uploads/.htaccess. That’s the file that contains the blocking rules.

If you don’t know how to delete that file yourself, you can contact us and ask us to do it for you. Say something like:

I'm the administrator of [ DOMAIN NAME ] and I need to run a PHP script in /wp-content/uploads. I have read and understand the warnings on <>. Please delete the default "/wp-content/uploads/.htaccess" file that blocks these.

If you do this, be sure to keep a PHP file in the directory — if our system detects no more PHP files there, it will add the protection again.

We should emphasize that we don’t recommend disabling the protection. It leaves your site vulnerable to extremely common file upload security bugs in WordPress plugins or themes you use. Disabling PHP scripts in this directory is recommended by well-known WordPress security companies like Acunetix and Sucuri.