diff --git a/.htaccess b/.htaccess
old mode 100644
new mode 100755
index f40401512c..69ad3ff511
--- a/.htaccess
+++ b/.htaccess
@@ -8,6 +8,12 @@
 
 RewriteEngine on
 
+# Prevent execution of PHP from directories used for different types of uploads
+RedirectMatch 403 ^/app/(cache|courses|home|logs|upload)/.*\.(php|php4|php5)$
+RedirectMatch 403 ^/main/default_course_document/images/.*\.(php|php4|php5)$
+RedirectMatch 403 ^/main/lang/.*\.(php|php4|php5)$
+RedirectMatch 403 ^/web/css/.*\.(php|php4|php5)$
+
 # http://my.chamilo.net/certificates/?id=123 to http://my.chamilo.net/certificates/index.php?id=123
 RewriteCond %{QUERY_STRING} ^id=(.*)$
 RewriteRule ^certificates/$ certificates/index.php?id=%1 [L]
diff --git a/documentation/security.html b/documentation/security.html
index 7cbc15e3ad..89256ce085 100755
--- a/documentation/security.html
+++ b/documentation/security.html
@@ -141,13 +141,13 @@ This will prevent direct access to your settings and make it seem totally the sa
   location ~ ^/app/(cache|courses|home|logs|upload)/.*\.(php|php4|php5)$ {
     deny all;
   }
-  location ~ ^/main/default_course_document/images/.*\.php$ {
+  location ~ ^/main/default_course_document/images/.*\.(php|php4|php5)$ {
     deny all;
   }
-  location ~ ^/main/lang/.*\.php$ {
+  location ~ ^/main/lang/.*\.(php|php4|php5)$ {
     deny all;
   }
-  location ~ ^/web/css/.*\.php$ {
+  location ~ ^/web/css/.*\.(php|php4|php5)$ {
     deny all;
   }
         </pre>