Jethost’s Help Center


Restrict .PHP.XXX Extension Files

XML-RPSome attackers try to bypass standard file restrictions by uploading PHP files with extra extensions – like .php.txt, .php1, or .php.bak. These variants often escape filters and go unnoticed. The JetHost Total Care restrict files with .PHP.XXX extension setting helps block this tactic by preventing those files from executing.

Why You Might Want to Block .php.XXX File Variants

Even when standard PHP file uploads are blocked, a file named malware.php.txt can slip through if your security setup isn’t watching closely. If your server treats .php.txt or similar formats as executable, it can become a serious threat.

Blocking these variants helps you:

  • Stop attackers from sneaking in executable scripts
  • Prevent misuse of backup or test files left behind by mistake
  • Close a loophole commonly used in web-based malware

The JetHost Total Care restrict files with .PHP.XXX extension setting gives you protection with no need for server-level rule writing.

What Are .PHP.XXX Files and Why They’re Risky

These files use PHP as the base extension, followed by an extra dot and another extension like .php.old, .php.save, or .php.new. While they look harmless, they can still be treated as executable scripts by improperly configured servers.

In other words, these are just PHP files in disguise and they’re often used in targeted attacks or automated upload exploits.

How to Restrict PHP Extension Variants with JetHost Total Care

To control autosave using JetHost Total Care:

1. Log in to your WordPress dashboard.
2. Open the JetHost Total Care section from the sidebar.
3. In the tab Security, look for the setting labeled Restrict files with .PHP.XXX extension.
4. Toggle the switch to turn it on.

JetHost Total Care restrict files with .PHP.XXX extension

JetHost Total Care saves the change automatically when you toggle the setting.

JetHost Total Care Security setting updated

What Happens After You Enable the Setting

Once this feature is active, your server will block access to PHP files with non-standard suffixes like .php.tmp, .php.save, or .php1. If someone tries to access or execute these files, the request will fail.

Meanwhile, your site’s normal PHP files continue to work as expected. There’s no disruption to plugins, themes, or admin functionality.

JetHost Experts Tip

Malware scanners don’t always catch disguised PHP files. That’s why it’s smart to block suspicious formats at the server level using JetHost Total Care. It adds a defense that most attackers aren’t expecting.

Need More Help?

The JetHost Total Care restrict files with .PHP.XXX extension setting protects your WordPress environment from a common trick used in malware uploads. It’s a quick way to shut down an attack route before it becomes a problem.Take a look at more WordPress security guides to stay ahead of common issues.

Back to help