Sometimes when checking my VPS logs, I’ll see a large number of attempts to access PHP files on my server. These files will be of different names and different paths – all attempting to probe my site for weaknesses, find expired plugins to exploit, and more. And this is after I protect my WordPress site from automatic bots on Cloudflare! So you can imagine the actual number of requests that would have originated before being filtered out! So the question arises – is it safe or possible to block external access to PHP files on WordPress?
Why Blocking PHP Files Might be Helpful
Even if you’re confident in the security of your website, a large number of requests for missing PHP files can still clog up your server. The reason is that these will generate a 404 error (best-case scenario), and your site will have to serve them up. What’s more, caching plugins like W3 Total Cache typically don’t cache 404 error pages, so these will all be dynamic requests, adding a linear load to your site.
If the number of requests reached a certain limit, your site will start feeling the strain. If you’re on shared hosting, this can slow down your site very quickly. So it’s worth considering whether or not we want to block all access to external PHP files altogether.
What to Keep in Mind While Blocking PHP Files
While a 3rd party typically doesn’t need to directly access PHP, there are three scenarios when it’s needed:
- /wp-admin/admin-ajax.php for ajax requests
- Admin pages all ending in “.php”
- Posting comments calls the “comment.php” page.
WordPress developers often make heavy use of the /wp-admin/admin-ajax.php file to update the page in real-time. These requests will come from the browser of the user who views your site, so it’ll be filtered out as a 3rd party request if you block all PHP access. This can be a problem for those who rely on this functionality.
The second (and more common) problem is that all admin functions use URLs with “.php” in them. If you’re editing a post, or even just viewing the plugins screen or listing the number of posts on a page, all of these require PHP access.
Finally, anyone posting a comment on your WordPress post will call the “comments.php” page. If you want users to interact with your site, then we can’t block access to this.
So any solution that deals with blocking automated PHP requests, has to accommodate these two scenarios.
Blocking PHP with a JS Challenge on Cloudflare
Personally, I don’t have a dynamic component to my site so I can safely ignore /wp-admin/admin-ajax.php. Instead, I have to deal with admin access. Of course, I can just outright block all PHP access using a firewall and then disable the firewall whenever I want to access my WordPress admin, but this is annoying. Instead, I issue a JS challenge for PHP files.
A JS challenge will make the browser solve a quick JS challenge, which it should be able to do in a few seconds if it’s genuine. During that time, visitors (including you if you’re the admin) will see a page like this:
For my site WP-Tweaks.com, I’ve created a Cloudflare JS challenge for all PHP files. Right now, the only real users who see the above screenshot are:
- Myself when I access the admin area of WordPress
- Users who want to post a comment
All other access isn’t genuine traffic and can be safely ignored. Since I get just a handful of comments regularly, I don’t consider this to be a huge deal.
Creating an Exception for /wp-admin/admin-ajax.php
If your site relies heavily on Ajax features, just add an exception in the firewall rule for this path. Or if the feature is accessed infrequently, you might feel that it’s worth the inconvenience of waiting a few seconds for your users to access it.
On my site, here are the number of PHP access attempts blocked in the last 24-hours on WP-Tweaks.com after already taking into consideration that Cloudflare has blocked automatic bots and threats:
So not bad! I’ve excluded these requests from hitting my server and wasting my resources. If you’re running WordPress, you should consider something similar as well!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!