Protecting Media Library and files – Uploads Anti-Exploit Guard

Home Forums BulletProof Security Pro Protecting Media Library and files – Uploads Anti-Exploit Guard

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #1236
    Amel
    Participant

    Hello,
    as far as I understand, only following files and folders are not monitored by AutoRestore/Quarantine:Media Library and upload folder, am I right ? as they are protected by UAEG – Uploads Anti-Exploit Guard ?
    So I have 2 questions now:

    1. if the media library is not protected by BPS, than someone can upload a file that could harm the WP, is this correct ? or perhaps not damage our own WP where the BPS is running since the BPS keeps the security, but it is possible to attack other sites from this one using these “open-not-protected” folders ?

    2. is it possible to protect those locations within AutoRestore/Quarantine ?  I know this can be a tricky as those who are updating the WP news, blogs etc.. they have to keep in mind that ARQ needs to be turned off in order to be able to upload the images, so take a backup, then turn ARQ back on again…
    But I am willing to do so IF these location can be protected by BPS.We could at least have an option in BPS to select or deselect protection for these folders…

    Thank You

    Best regards

    Amel
     
     

    #1237
    AITpro Admin
    Keymaster

    Update:  A new Uploads Anti-Exploit Guard (UAEG) Read Me First Sticky Topic has been created in the link below.

    http://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/

    1.  The WordPress uploads folder is your WordPress Media Library storage area/folder for uploaded files.  Content and links related to your uploaded files stored in your uploads folder are of course stored in your WordPress Database.  The BPS Pro Uploads Anti-Exploit Guard protects the uploads folder by blocking external / remote access to the uploads folder by file extension type.  So let’s say a hacker somehow managed to upload a php hacker file to your uploads folder – hackerFile.php – this file is blocked from being allowed to be viewied/opened/accessed/processed/executed.  The same applies to files disguised as an image file – hackerPHPFileDisguisedAsJPGFile.php.jpg.  Any file that exists in your uploads folder that could be harmful or used against your site in a hack is Forbidden by BulletProof Security Pro Uploads Anti-Exploit Guard.

    2.  Yes, it would be possible to allow AutoRestore/Quarantine to monitor the uploads folder, but there is absolutely no good reason for this since the Uploads Anti-Exploit Guard completely protects the uploads folder already.  What would end up happening is mistakes and headaches when these mistakes and headaches do not to happen in the first place since UAEG has the uploads folder completely protected.

    Here is the logic behind how UAEG is more effective using the approach we have taken.

    It would be impossible to block a plugin or theme with bad coding that allows harmful files to be uploaded to your uploads folder.

    So using that logic you take that factor out of the equation and you start from the most important point, which is the uploads folder itself.  It does not matter if a hacker somehow managed to get a file into the uploads folder – it will be Forbidden/Killed/Dead/Useless to the hacker because the file is inaccessible to everyone including the site owner.  No one can view/open/execute a harmful file in the uploads folder – PERIOD.

    #1240
    Amel
    Participant

    thank You for very quick response !
    I understand it much better now..
    Case closed 🙂
    Best regards
    Amel
     

    #1243
    AITpro Admin
    Keymaster

    I’m really glad you asked this question.  I have been meaning to get this info posted in the Forum.  Now I can just send this Forum link when I get email questions about what the heck UAEG is and how it works.  Thanks for posting a great question.  🙂

    #1251
    Amel
    Participant

    Very glad to help 🙂 You’re very welcome.
    It’s very kind of You to answer me very quick, have never seen before that developer is just sitting and answering to the posts almost in-live-time 🙂
    Thank You very much again !

    Best regards
    Amel

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.