Preventing PHP scripts from running in /wp-content/uploads

We write a lot about how out of date WordPress plugins or themes can cause your site to get “hacked” due to security bugs.

Interestingly, many of these bugs have a near-identical flaw: They intentionally allow strangers to upload files to your site (intending to allow image uploads and so on), but they don’t sufficiently screen out malicious script files. The bugs allow a malicious PHP script somewhere under the site’s “/wp-content/uploads” directory, then the “hacker” simply runs that script in a web browser.

To help our customers, we’re doing something to minimize the impact of these security vulnerabilities: By default, we’re now blocking PHP scripts from running in “/wp-content/uploads”.

This will improve security because very few sites use this feature legitimately (and none should do so, really; relying on being able to run uploaded PHP scripts without moving them to a safe location is a security risk). Disabling PHP scripts in this directory is recommended by well-known WordPress security companies like Acunetix and Sucuri.

What’s the exact change?

We’re adding a .htaccess file at “/wp-content/uploads/.htaccess” on all WordPress sites we host. It contains these lines (plus a comment explaining them):

<FilesMatch "\.php[0-9]?$|\.phtml$">
  SetHandler tigertech-block-php-in-wp-uploads

These special lines make our servers issue a “redirect” to a page explaining that PHP scripts in this location are blocked.

When will this happen?

Our WordPress installer is now adding this protection to all new WordPress sites.

We’ll also add the protection to existing sites over the next several weeks. However, we won’t add it if your site already has any “.php” files under “/wp-content/uploads”, so if you already rely on PHP scripts working, you won’t notice any change. Our intent is to stop future problems if possible, not to alter any existing setup.

Can I disable it?

Yes, you can delete the “/wp-content/uploads/.htaccess” file, or ask us to do so, if you want to allow these PHP scripts. The page you’ll be redirected to when you try it explains this.