How to disable php files in upload folder of WordPress with IIS

disable php files in upload folder of WordPress with IIS

This is an another security tip to harden your WordPress site running on IIS server. As we know hackers always try to find loop holes in the website to hack it. It is better to prepare yourself for each type of attack. A smart developer always try to minimize the chances of hacking by implementing security measures.

Attack on upload folder by inserting .php files to it is one of the most used hacking technique. Hackers generally insert a PHP file to your upload folder and execute it to get useful information or delete something.

Generally, if we insert a PHP file to our upload folder it works as others. To check this just upload a “index.php” file to your upload folder with below mentioned code :

<?php echo "index code working"; ?>

Just prepare a blank index.php file, copy and paste above mentioned code and upload it to your upload folder here “your-website-root/wp-content/uploads“. After uploading this file just go to your browser and hit that “index.php” file.




Your url will be http://example.com/wp-content/uploads/index.php. Where “example.com” is your domain name.

After this you will see, the php code written in you “index.php” file is working as other PHP files. Just look at the image attached to the post.


Now we must stop this execution of PHP files to prevent from hackers. To do this just follow the below mentioned steps :

Step 1. Prepare a blank “web.config” file
Step 2. Just copy and paste below mentioned code to your “web.config” file :

<?xml version="1.0" encoding="UTF-8"?>




            <clear />

            <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />



Step 3. Now just upload this file in your upload folder.
How to disable php files in upload folder of WordPress with IISYou are done now. Just look at the upload folder in image, you will find that your “index.php” file and your “web.config” files are at same place in uploads folder.
After this just hit that url again “http://example.com/wp-content/uploads/index.php” where “example.com” is your domain.

disable php files

You will find that the code written in your “index.php” is not able to executable. You will find a message like “The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.” Just look at the another image after applying the above changes.

If you don’t understand on this topic clearly. Please comment the below or Contact with us.


Mostakim Hossen

I am Mostakim Hossain, a Web designer and developer, 23 years of age. I have been working as a freelance (upwork) for almost 2 years now and I will be glad in helping you create your next awesome project.

I have created lots of public and private websites(some shown below) and always looking for more work to learn from. I am using PHP as my primary programming language. You can see my skill set beside this text.

I am a person who is willing to learn and adapts quickly. I am keen to design and security. I believe in the core principles of Open Source and support it. I have a minimalist approach to design and usability. Simplicity is beauty they say.
Masters of Accountancy : Asian University of Bangladesh
I’m here to answer any questions you might have about our products and services. Feel free to contact me using any of the following methods:

Email : support@smarterdevs.com

Leave a Reply

Your email address will not be published. Required fields are marked *


Coupon : happynewyear

60% OFF

Stay updated with all latest updates,upcoming plugins & much more.
WordPress Themes