Category: Security

There are many ways to improve the security of your site and you should try to do as much as possible to protect your (client) sites. Here's another way to enhance the security of your site.

Problem: If your site is running an outdated piece of software malicious people will try to upload & execute files from your uploads folder.
With the following rules we'll block requests to certain files from the that folder.

That way even if the attacker manages to upload a file he/she won't be able to execute it.

This post assumes that you're running an Apache web server.

The rules for nginx should be very similar.

If you are running Apache v2.4+ add this to the root .htaccess file (create it if necessary) (document root).
If you have access to the server it's better to put this snippet in /etc/apache2/conf-enabled/00_block_scripts_in_uploads.conf
Then reload the server config.
Doing this at server level would save precious server resources AND the rules will apply to ANY site hosted on the server.

[code]
<LocationMatch "/uploads?/.*?\.(php\d*|py|cgi|pl)">
Require all denied
</LocationMatch>
[/code]

For Apache < v2.4 put this in an .htaccess file (create it if necessary) residing in the uploads folder you want to protect.
If using WordPress should put it in wp-content/uploads/

[code]
<FilesMatch "\.(php\d*|py|cgi|pl)">
Order allow,deny
Deny from all
</FilesMatch>
[/code]

Notes:
The regular expression doesn't end in $ which would only block such file extensions.
Don't we want exactly that? Well, yes and we want a lot more!

In this WordPress.org forum post somebody suggested that the attacker could also name the script file as test.php.jpg which would bypass any security checks done just for extensions as it would assume it's an image. That's why we're looking for a known extension anywhere within the filename name.

\d* means that the php extension may or may not be followed by a number.
This will match e.g. test.php and test.php4 and test.php5 etc.

The observant ones have noticed that the text above didn't mention WordPress at all.
Well, it is related to WordPress because WordPress' uploads folder usually is in wp-content/uploads.
The rules above will match requests to (sub)folders named: upload or uploads and therefore is WP applicable.

Related

  • http://httpd.apache.org/docs/current/sections.html

Join our mailing list

Get important news about cool products we release and invitations to beta test new products

Find out the Social networks we're on