How to disable PHP execution in subfolders

If you want to disable code execution in subfolders of your web application, you can add the following lines to your .htaccess file:

# Forbid access to PHP files in subfolders. 
RewriteCond %{REQUEST_URI} ^.+/.*\.php$ 
RewriteRule ^ index.php [F]

With this RewriteRule, requests for files with the .php extension outside the root folder of your application will result in a 403 Forbidden error. Files in the top folder (index.php, cron.php, update.php etc.) will still work as expected; the same applies to URL aliases with the .php extension defined inside the application.

WARNING Make sure to add those lines below the standard rewrite rules for index.php, otherwise URL aliases ending in .php will not work.

Thanks to Klaus Purer for this tip!


Related articles