Execute PHP in /wp-content/uploads/

Home Forums BulletProof Security Free Execute PHP in /wp-content/uploads/

This topic contains 8 replies, has 2 voices, and was last updated by  Matt Alhaarth 3 years, 3 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #21465

    Matt Alhaarth
    Participant

    Hello,
    Does BPS Security prevent the possibility to execute PHP in /wp-content/uploads/ ?
    Regards,
    Matt

    #21467

    AITpro Admin
    Keymaster

    BPS free does not come with an uploads .htaccess file that protects the uploads folder from PHP code/file execution, but BPS Pro does: Uploads Anti-Exploit Guard (UAEG) and has an additional htaccess File Editor window for editing the UAEG htaccess file.  You can use this code below to manually create an .htaccess file for the uploads folder.

    # Forbid .php files: example.php, example.PHP, example.php.jpg, example.PHP.jpg
    <FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
    Order Deny,Allow
    Deny from all
    </FilesMatch>
    #21472

    Matt Alhaarth
    Participant

    I think you’ve just convinced me to upgrade to Pro, just a little concerned that it might be too complex for my limited technical abilities.

    #21473

    AITpro Admin
    Keymaster

    I wasn’t trying to convince you or persuade you to get BPS Pro.  If you only need WordPress uploads folder protection then just use the code above. 😉

    #21474

    Matt Alhaarth
    Participant

    I know you weren’t trying to make a sale but BPS free has served me well for some time and I know find I’m needing features available in the pro version.

    My slight concern is potential issues with W3TC and having wp-cron disabled. If I understand correctly, pdf files are not automatically permitted but I assume there is some way to make an exception?

    #21475

    AITpro Admin
    Keymaster

    If you have WP Crons disabled then BPS Pro is not for you – all of the automated features in BPS Pro use WP Crons.  WP Crons are an essential aspect of WordPress.  Without Crons nothing automated can happen – ie your website is in static mode vs being in a dynamic automated mode.

    pdf’s are allowed by default:  See the entire list of allowed WordPress upload file types.

    #21476

    Matt Alhaarth
    Participant

    Thank you. I’ve added the code you suggested to my sites as described and also added the same to the wp-includes folder.

    On one of my sites, I discovered I already had a .htaccess in the wp-content/uploads/ folder containing the following:

    Options -Indexes
    <Files *.php>
    deny from all
    </Files>
    

    Would you recommend modifying this?

    #21477

    AITpro Admin
    Keymaster

    I recommend replacing that code/file with the code I posted.  Options -Indexes is already being applied to the /uploads folder from/by your BPS root .htaccess file.  The code will protect against .php files being executed in the uploads folder, but will not protect against php files disguised as image files:  hacker-file.php.jpg being executed.

    #21479

    Matt Alhaarth
    Participant

    Thank you for your time and assistance, you have been exceptionally helpful.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.