Incorrect solution to disable script execution by .htaccess

I saw some people use this code in “.htaccess” to disable script execution:

<Files ~ “(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi|\.spc|\.jsp|\.cfm|\.passwd)$”>
order deny,allow
deny from all

But I think, this code is not secure at all. I bypass it by uploading a file with this name: “testpage.PhP”. (I tested it on my web hosting)

The problem is:

This code has a case sensitive regular expression.

Note: <FilesMatch> is similar to <Files> with this problem

One solution: use this code instead of that code:

# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

Useful links:,-tricks-and-hacks.html


2 thoughts on “Incorrect solution to disable script execution by .htaccess

  1. Susan

    Where is this supposed to be placed in the .htaccess file? If I put it at the top, then it prevents legitimate site visitors from executing PHP scripts such as email forms.

    How to prevent access selectively once I’ve used a succession of SetEnvIfNoCase User-Agent lines to identify bad bots, and there is a list of denies of IP address blocks ?

Comments are closed.