Disabling PHP Execution in Certain WordPress Directories Using .htaccess File
Most WordPress sites have a .htaccess file in the root folder. This is a powerful configuration file used to password protect admin area, disable directory browsing, generate SEO friendly URL structure, and more.
By default, the .htaccess file located in your WordPress website’s root folder, but you can also create and use it inside your inner WordPress directories.
To protect your website from backdoor access files, you need to create a .htaccess file and upload it to your site’s /wp-includes/ and /wp-content/uploads/ directories.
Simply create a blank file on your computer by using a text editor like Notepad (TextEdit on Mac). Save the file as .htaccess and paste the following code inside it.
Now save the file on your computer.
Next, you need to upload this file to /wp-includes/ and /wp-content/uploads/ folders on your WordPress hosting server.
You can upload it by using an FTP client or via File Manager app in your hosting account’s cPanel dashboard.
Once the .htaccess file with the above code is added, it will stop any PHP file to run in these directories.
Using this .htaccess trick helps you harden your WordPress security, but it is not a FIX for an already hacked WordPress site.
Backdoors are cleverly disguised and can already be hidden in plain sight.
If you want to check for possible backdoors on your website, then you need to activate Sucuri on your website.
Sucuri is the best WordPress security plugin on the market. It scans your website for possible threats, suspicious code, malware, and vulnerabilities.
It also effectively blocks most hacking attempts to even reach your website by adding a firewall between your site and suspicious traffic.