Title: [Plugin: BulletProof Security] Kill PHP Execution for uploads folder Last modified: August 20, 2016 --- # [Plugin: BulletProof Security] Kill PHP Execution for uploads folder * Resolved [icing](https://wordpress.org/support/users/icing/) * (@icing) * [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-kill-php-execution-for-uploads-folder/) * Was reading [this article](http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/) on WordPress Security. Maybe you have already read it. If not, then please do. * One question, does Bulletproof Security protect from PHP Execution(mentioned in that article)? That article says that uploads folder is vulnerable and should be protected with htaccess file. Is this already done in BPS? * Thanks * [http://wordpress.org/extend/plugins/bulletproof-security/](http://wordpress.org/extend/plugins/bulletproof-security/) Viewing 5 replies - 1 through 5 (of 5 total) * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-kill-php-execution-for-uploads-folder/#post-3122075) * Quoting from the Article… * > 2. Kill PHP execution. > Often the weakest link in any WordPress chain is the/ > uploads/ directory. It is the only directory that needs to be writable in your > installation. You can make it more secure by preventing anyone from executing > PHP. It’s simple to do. Add the following to the .htaccess file at the root > of the directory. If the file doesn’t exist, create it. > ``` > > Deny from All > > ``` > * …this could be helpful to protect the /uploads folder, but how it could be beaten would be if the hackers file was named something like this – hackerPHPFileDisguisedAsAJPGFile. php.jpg. * Currently BPS does not have .htaccess coding to protect the /uploads folder in a specific way and only has general security protection, but specific .htaccess security coding for the /uploads folder will eventually be added. What needs to be worked out first is how not to interfere with normal image uploading and image retrieval and still prevent exploits such as the one I just pointed out. * Offhand the simplest method would be to look at the file name and if it contains the pattern “.php” anywhere in the file name then do X. * This Regex would match both .php and .php. so it would be a little better to use. * ``` Order Allow,Deny Deny from all ``` * And another thing to consider and factor in is forcing the MIME Type, which i think WP is already doing anyway. * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-kill-php-execution-for-uploads-folder/#post-3122081) * Also since i have never tested this code i just posted then it may be that you need to do a Regex match to the end of the file name for this to be effective. * matches php, php.jpg, php.gif, php.png, etc etc etc * ``` Order Allow,Deny Deny from all ``` * Thread Starter [icing](https://wordpress.org/support/users/icing/) * (@icing) * [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-kill-php-execution-for-uploads-folder/#post-3122195) * Thanks for your reply. Will look forward to this functionality in BPS. Till then will just create a simple .htaccess with the code from your last post. Will report back in this thread if it hampers functionality. * Thread Starter [icing](https://wordpress.org/support/users/icing/) * (@icing) * [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-kill-php-execution-for-uploads-folder/#post-3122196) * Useful [comment from MickeyRoush](http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/#comment-68147) on the SmashingMag article. * > Your “Kill PHP Execution” code has an error. You’re using “FilesMatch” then“ > Files” to close it. You need to change the “Files” to “FilesMatch” to close > it. > For your “Kill PHP Execution” for the uploads directory it would be better > to white-list instead of blacklist, since there are many extensions that could > be executable. > Something like this (I originally tried to paste the code here, but it gets > stripped for some reason): > [http://pastebin.com/49MrrbTp](http://pastebin.com/49MrrbTp) > Please note that above works best for Apache 2.x and above. One, FilesMatch > is much better utilized for PCRE. Two, that above prevents any double extensions > as well, so no .php.jpg or anything that can be changed using Live HTTP Headers, > etc. > So the rules says, only allow the follow case-insensitive single file extensions. > jpeg, jpg, png, gif, pdf > “[^.]+” Means not a literal period one or more times. > “(?:[Jj][Pp][Ee]?[Gg]|[Pp][Nn][Gg]|[Gg][Ii][Ff]|[Pp][Dd][Ff]) or (?i:jpe?g| > png|gif|pdf)” Means these case-insensitive file extensions. > You could create your own list depending on your needs. * Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/) * (@aitpro) * [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-kill-php-execution-for-uploads-folder/#post-3122206) * Yep that code looks good to me. Also you don’t have to use just one bit of code and could use several layers of protection by using several snippets of code. 😉 Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘[Plugin: BulletProof Security] Kill PHP Execution for uploads folder’ is closed to new replies. * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938) * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/) * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/) * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/) * 5 replies * 2 participants * Last reply from: [AITpro](https://wordpress.org/support/users/aitpro/) * Last activity: [13 years, 7 months ago](https://wordpress.org/support/topic/plugin-bulletproof-security-kill-php-execution-for-uploads-folder/#post-3122206) * Status: resolved