Home › Forums › BulletProof Security Free › Execute PHP in /wp-content/uploads/
- This topic has 8 replies, 2 voices, and was last updated 5 years, 10 months ago by
Matt Alhaarth.
-
AuthorPosts
-
Matt Alhaarth
ParticipantHello,
Does BPS Security prevent the possibility to execute PHP in /wp-content/uploads/ ?
Regards,
MattAITpro Admin
KeymasterBPS free does not come with an uploads .htaccess file that protects the uploads folder from PHP code/file execution, but BPS Pro does: Uploads Anti-Exploit Guard (UAEG) and has an additional htaccess File Editor window for editing the UAEG htaccess file. You can use this code below to manually create an .htaccess file for the uploads folder.
# Forbid .php files: example.php, example.PHP, example.php.jpg, example.PHP.jpg <FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$"> Order Deny,Allow Deny from all </FilesMatch>
Matt Alhaarth
ParticipantI think you’ve just convinced me to upgrade to Pro, just a little concerned that it might be too complex for my limited technical abilities.
AITpro Admin
KeymasterI wasn’t trying to convince you or persuade you to get BPS Pro. If you only need WordPress uploads folder protection then just use the code above. 😉
Matt Alhaarth
ParticipantI know you weren’t trying to make a sale but BPS free has served me well for some time and I know find I’m needing features available in the pro version.
My slight concern is potential issues with W3TC and having wp-cron disabled. If I understand correctly, pdf files are not automatically permitted but I assume there is some way to make an exception?
AITpro Admin
KeymasterIf you have WP Crons disabled then BPS Pro is not for you – all of the automated features in BPS Pro use WP Crons. WP Crons are an essential aspect of WordPress. Without Crons nothing automated can happen – ie your website is in static mode vs being in a dynamic automated mode.
pdf’s are allowed by default: See the entire list of allowed WordPress upload file types.
Matt Alhaarth
ParticipantThank you. I’ve added the code you suggested to my sites as described and also added the same to the wp-includes folder.
On one of my sites, I discovered I already had a .htaccess in the wp-content/uploads/ folder containing the following:
Options -Indexes <Files *.php> deny from all </Files>
Would you recommend modifying this?
AITpro Admin
KeymasterI recommend replacing that code/file with the code I posted. Options -Indexes is already being applied to the /uploads folder from/by your BPS root .htaccess file. The code will protect against .php files being executed in the uploads folder, but will not protect against php files disguised as image files: hacker-file.php.jpg being executed.
Matt Alhaarth
ParticipantThank you for your time and assistance, you have been exceptionally helpful.
-
AuthorPosts
- You must be logged in to reply to this topic.