Published

Sometimes well-meaning security tweaks to your website can actually inhibit, or even outright kill, intended functionality. It is imperative web developers understand what they are trying to achieve and the different ways to get there.

One such security tweak for WordPress is disabling PHP execution in the /wp-content/uploads directory. On Apache, this is achieved by way of adding an .htaccess file to the directory with the following rule:

<Files *.php>
  Order Allow, Deny
  Deny from all
</Files>

However, I recently worked on a theme that implemented Lazy Loading for their images and the above rule prevented the script for working. In place of images I got nice little 404 errors.

There are a lot of security tweaks and suggestions out there on the internet. Be sure you know what you’re using.

To round off this post, here are some related links you may find helpful:

Image of electronic lock taken by Jenny Rollo.

Edit 22nd May 2014: If you want to protect vulnerable WordPress folders using the .htaccess method described above, I highly suggest installing Sucuri Security – SiteCheck Malware Scanner. You can easily add or remove the .htaccess file from the WordPress Administration instead of having to access your server via FTP/SFTP/SSH.