# Never execute scripts from the uploads folder — serve files as downloads/media only.
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|pht|cgi|pl|py|asp|aspx|sh)$">
  Require all denied
</FilesMatch>
Options -Indexes -ExecCGI
RemoveHandler .php .phtml .php3 .php4 .php5 .php7
RemoveType .php .phtml .php3 .php4 .php5 .php7
php_flag engine off
