How to disable PHP file execution in the WordPress uploads folder

The folder “wp-content/uploads” is intended to store media and static assets, but there are instances where hackers can exploit contact forms with file upload capabilities to upload a PHP script. Once uploaded to the “wp-content/uploads” folder, the PHP script becomes accessible through the web.

By running the uploaded PHP script through a browser, the hacker can gain system access and establish a tunnel for uploading and downloading content.

Therefore, it is crucial to limit the execution of PHP scripts within the “wp-content/uploads” folder, it is recommended to disable PHP file execution in “wp-content/uploads” folder.

To accomplish this in Apache, we can create an .htaccess file within the “wp-content/uploads” directory.

# Disable PHP Execution
<FilesMatch "\.(php|phtml|php3|php4|php5|pl|py|jsp|asp|html|htm|shtml|sh|cgi|suspected)$">
    deny from all
</FilesMatch>

In Nginx,

location ~* /(?:uploads|files)/.*.php$ {
	deny all;
	access_log off;
	log_not_found off;
}

Leave a Reply

Your email address will not be published. Required fields are marked *