[Plugin: BulletProof Security] Kill PHP Execution for uploads folder

Quoting from the Article…

2. Kill PHP execution.
Often the weakest link in any WordPress chain is the /uploads/ directory. It is the only directory that needs to be writable in your installation. You can make it more secure by preventing anyone from executing PHP. It’s simple to do. Add the following to the .htaccess file at the root of the directory. If the file doesn’t exist, create it.

<Files *.php>
Deny from All
</Files>

…this could be helpful to protect the /uploads folder, but how it could be beaten would be if the hackers file was named something like this – hackerPHPFileDisguisedAsAJPGFile.php.jpg.

Currently BPS does not have .htaccess coding to protect the /uploads folder in a specific way and only has general security protection, but specific .htaccess security coding for the /uploads folder will eventually be added. What needs to be worked out first is how not to interfere with normal image uploading and image retrieval and still prevent exploits such as the one I just pointed out.

Offhand the simplest method would be to look at the file name and if it contains the pattern “.php” anywhere in the file name then do X.

This Regex would match both .php and .php. so it would be a little better to use.

<FilesMatch "\.(php|php\.)$">
Order Allow,Deny
Deny from all
</FilesMatch>

And another thing to consider and factor in is forcing the MIME Type, which i think WP is already doing anyway.

Also since i have never tested this code i just posted then it may be that you need to do a Regex match to the end of the file name for this to be effective.

matches php, php.jpg, php.gif, php.png, etc etc etc

<FilesMatch "\.(php|php\.)(.+)(\w|\d)$">
Order Allow,Deny
Deny from all
</FilesMatch>

Thanks for your reply. Will look forward to this functionality in BPS. Till then will just create a simple .htaccess with the code from your last post. Will report back in this thread if it hampers functionality.

Useful comment from MickeyRoush on the SmashingMag article.

Your “Kill PHP Execution” code has an error. You’re using “FilesMatch” then “Files” to close it. You need to change the “Files” to “FilesMatch” to close it.

For your “Kill PHP Execution” for the uploads directory it would be better to white-list instead of blacklist, since there are many extensions that could be executable.

Something like this (I originally tried to paste the code here, but it gets stripped for some reason):

https://pastebin.com/49MrrbTp

Please note that above works best for Apache 2.x and above. One, FilesMatch is much better utilized for PCRE. Two, that above prevents any double extensions as well, so no .php.jpg or anything that can be changed using Live HTTP Headers, etc.

So the rules says, only allow the follow case-insensitive single file extensions. jpeg, jpg, png, gif, pdf

“[^.]+” Means not a literal period one or more times.

“(?:[Jj][Pp][Ee]?[Gg]|[Pp][Nn][Gg]|[Gg][Ii][Ff]|[Pp][Dd][Ff]) or (?i:jpe?g|png|gif|pdf)” Means these case-insensitive file extensions.

You could create your own list depending on your needs.

Yep that code looks good to me. Also you don’t have to use just one bit of code and could use several layers of protection by using several snippets of code. ??