Preventing PHP scripts from running in /wp-content/uploads

Posted November 17th, 2015 in Tech Corner. Tags: , .

We write a lot about how out of date WordPress plugins or themes can cause your site to get “hacked” due to security bugs.

Interestingly, many of these bugs have a near-identical flaw: They intentionally allow strangers to upload files to your site (intending to allow image uploads and so on), but they don’t sufficiently screen out malicious script files. The bugs allow a malicious PHP script somewhere under the site’s “/wp-content/uploads” directory, then the “hacker” simply runs that script in a web browser.

To help our customers, we’re doing something to minimize the impact of these security vulnerabilities: By default, we’re now blocking PHP scripts from running in “/wp-content/uploads”.

This will improve security because very few sites use this feature legitimately (and none should do so, really; relying on being able to run uploaded PHP scripts without moving them to a safe location is a security risk). Disabling PHP scripts in this directory is recommended by well-known WordPress security companies like Acunetix and Sucuri.

What’s the exact change?

We’re adding a .htaccess file at “/wp-content/uploads/.htaccess” on all WordPress sites we host. It contains these lines (plus a comment explaining them):

<FilesMatch "\.php[0-9]?$|\.phtml$">
  SetHandler tigertech-block-php-in-wp-uploads
</FilesMatch>

These special lines make our servers issue a “redirect” to a page explaining that PHP scripts in this location are blocked.

When will this happen?

Our WordPress installer is now adding this protection to all new WordPress sites.

We’ll also add the protection to existing sites over the next several weeks. However, we won’t add it if your site already has any “.php” files under “/wp-content/uploads”, so if you already rely on PHP scripts working, you won’t notice any change. Our intent is to stop future problems if possible, not to alter any existing setup.

Can I disable it?

Yes, you can delete the “/wp-content/uploads/.htaccess” file, or ask us to do so, if you want to allow these PHP scripts. The page you’ll be redirected to when you try it explains this.

  1. Recent Posts

    1. PHP versions 8.2.17 and 8.3.4
    2. President’s Day 2024 holiday hours
    3. PHP versions 8.1.27 and 8.2.15
    4. Martin Luther King, Jr. Day 2024 holiday hours
    5. New Year’s 2024 Holiday Hours
    6. Christmas 2023 Holiday Hours
    7. Brief scheduled maintenance December 16-17, 2023
    8. Thanksgiving 2023 Holiday Hours
    9. PHP versions 8.1.25 and 8.2.12
    10. PHP versions 8.1.24 and 8.2.11

  2. Categories

  3. Tags

    all servers email holiday hours linux mailman maintenance mod_security mysql network php phpmyadmin security server updates spam ssl status updates webmail wordpress zapp

  4. Feeds