By default, WordPress makes certain directories writeable so that you and other authorized users on your website can easily upload themes, plugins, images, and videos to your website. However this capability can be abused by attackers who can use it to upload backdoor access files or malware to your website. These malicious files are often disguised as core WordPress files. They are mostly written in PHP and can run in the background to gain full access to every aspect of your website. Hence, we can disable PHP execution in certain WordPress directories to protect such attacks.
Â