Home › Forums › BulletProof Security Free › Execute PHP in /wp-content/uploads/
- This topic has 8 replies, 2 voices, and was last updated 9 years, 1 month ago by Matt Alhaarth.
-
AuthorPosts
-
Matt AlhaarthParticipant
Hello,
Does BPS Security prevent the possibility to execute PHP in /wp-content/uploads/ ?
Regards,
MattAITpro AdminKeymasterBPS free does not come with an uploads .htaccess file that protects the uploads folder from PHP code/file execution, but BPS Pro does: Uploads Anti-Exploit Guard (UAEG) and has an additional htaccess File Editor window for editing the UAEG htaccess file. You can use this code below to manually create an .htaccess file for the uploads folder.
# Forbid .php files: example.php, example.PHP, example.php.jpg, example.PHP.jpg <FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$"> Order Deny,Allow Deny from all </FilesMatch>
Matt AlhaarthParticipantI think you’ve just convinced me to upgrade to Pro, just a little concerned that it might be too complex for my limited technical abilities.
AITpro AdminKeymasterI wasn’t trying to convince you or persuade you to get BPS Pro. If you only need WordPress uploads folder protection then just use the code above. 😉
Matt AlhaarthParticipantI know you weren’t trying to make a sale but BPS free has served me well for some time and I know find I’m needing features available in the pro version.
My slight concern is potential issues with W3TC and having wp-cron disabled. If I understand correctly, pdf files are not automatically permitted but I assume there is some way to make an exception?
AITpro AdminKeymasterIf you have WP Crons disabled then BPS Pro is not for you – all of the automated features in BPS Pro use WP Crons. WP Crons are an essential aspect of WordPress. Without Crons nothing automated can happen – ie your website is in static mode vs being in a dynamic automated mode.
pdf’s are allowed by default: See the entire list of allowed WordPress upload file types.
Matt AlhaarthParticipantThank you. I’ve added the code you suggested to my sites as described and also added the same to the wp-includes folder.
On one of my sites, I discovered I already had a .htaccess in the wp-content/uploads/ folder containing the following:
Options -Indexes <Files *.php> deny from all </Files>
Would you recommend modifying this?
AITpro AdminKeymasterI recommend replacing that code/file with the code I posted. Options -Indexes is already being applied to the /uploads folder from/by your BPS root .htaccess file. The code will protect against .php files being executed in the uploads folder, but will not protect against php files disguised as image files: hacker-file.php.jpg being executed.
Matt AlhaarthParticipantThank you for your time and assistance, you have been exceptionally helpful.
-
AuthorPosts
- You must be logged in to reply to this topic.