Some configurations of the Apache webserver will run files with multiple extensions as scripts.  For example, files with names such as “my_file.php.psd”.  In these cases, Apache does not recognize the last suffix, and defaults to the next one found (in this case, “.php”) and will then proceed to execute the file as a PHP file.

As this has security implications, we recommend you disable this behavior inside any folders you allow file uploads via ExpressionEngine if you are running Apache.  The following .htaccess file will generally work.

1) Create a file called “.htaccess” (exactly like that, no additional file extensions). 

2) Place the following into its contents.

3) Upload this file into the each upload folder within your ExpressionEngine installation, or if your upload folders are all contained inside a common parent folder, you can place one copy of it there.

Notes:
- We always recommend you work with your webhost when working with server configuration.

- If you already have an .htaccess file in your installation, simply add the “SetHandler” line to it.

- Some users have trouble with this file name, and you may want to create “htaccess.txt” and rename it after you’ve uploaded it to your webserver.