The folder “wp-content/uploads” is intended to store media and static assets, but there are instances where hackers can exploit contact forms with file upload capabilities to upload a PHP script. Once uploaded to the “wp-content/uploads” folder, the PHP script becomes accessible through the web.
By running the uploaded PHP script through a browser, the hacker can gain system access and establish a tunnel for uploading and downloading content.
Therefore, it is crucial to limit the execution of PHP scripts within the “wp-content/uploads” folder, it is recommended to disable PHP file execution in “wp-content/uploads” folder.
To accomplish this in Apache, we can create an .htaccess file within the “wp-content/uploads” directory.
# Disable PHP Execution <FilesMatch "\.(php|phtml|php3|php4|php5|pl|py|jsp|asp|html|htm|shtml|sh|cgi|suspected)$"> deny from all </FilesMatch>
In Nginx,
location ~* /(?:uploads|files)/.*.php$ { deny all; access_log off; log_not_found off; }