Skip to main content

Prevent execute PHP file in wp-content/uploads directory

wp-content/uploads directory

your wpcontent/uploads directory should be considered a potential entry point and can be exploited for number of wordpress hacks . The biggest potential threat is the uploading of PHP files.

If you can browse /wpcontent/plugins/ – the enumeration of plugins and versions becomes much easier! Exploiting this can allow an attacker to obtain sensitive information that could aid in further attacks.

Exposing files to prying eyes can reveal sensitive info as WP-content uploads contain important files. Therefore, it becomes necessary to hide these files on the server. The .htaccess file can help in securing these files

To prevent anyone from accessing any PHP files in the wp-content/uploads folder, you can create an .htaccess file in the wp-content/uploads folder an add the following code to it:

 

# Kill PHP Execution
<Files ~ ".ph(?:p[345]?|t|tml)$">
deny from all
</Files>