Block PHP on uploads in WordPress

Last Revised: October 2, 2021

In principle, when you upload files through the Multimedia panel, only elements such as images, text files and the like are allowed, but PHP files (the programming language with which WordPress is made) among others are not allowed. If this were active, it could allow a hacker to execute malicious processes that should not be executed. To do this we should block the possibility of running PHP files in this folder.

In Apache HTTPD (inside the .htaccess file in the [/wp-content/uploads/] folder):

<files ~="" ".+.php">
  deny from all
</files>

If we want to be more aggressive, we can block many more places where the public does not need to have to access, and that the WordPress core does:

In nginx (within the site configuration file):

location ~* /wp-includes/.*.php$ {
  deny all;
  access_log off;
  log_not_found off;
}
location ~* /wp-content/.*.php$ {
  deny all;
  access_log off;
  log_not_found off;
}
location ~* /(?:uploads|files)/.*.php$ {
  deny all;
  access_log off;
  log_not_found off;
}

Which folders should be locked?

Although in principle the only folder that should not have access to run PHP files is the multimedia upload, it can be extended to other parts of code. In these cases you have to watch the plugins and templates that have certain requirements (although they would misuse the original idea of WordPress).

  • /wp-content/uploads/: It is the folder where users upload contents; the WordPress multimedia upload menu by default does not let PHP rise, but in many cases there are security holes that allow you to include content here. Avoiding the execution of any server programming language (PHP, Python, Perl …) we will avoid that we can include some type of Web-Shell.
  • /wp-includes/: This folder in principle only includes “include” elements of the system. They are usually CSS and JavaScript files, although in some cases they are also PHP. But these PHP files are not called by the user but by the system through the include() functions so they do not have to be accessible from the browser.

Seguir con Seguridad para WordPress


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.