Prevent execution of php files from sensitive folders

ovidiu · February 9, 2013, 4:27am

I found this snippet on the net and I really like the idea:

# Security: deny access to any files with a .php extension in  
# WP upload directory.  
location ~* /(?:uploads|files)/.*\.php$ {  
    deny all;  
    }

Googling around I found several other alternatives but they don't seem to work: I copied a simple info.php containing only phpinfo(); into wp-content/uploads/ and it still gets executed even after restarting nginx.

Any ideas? I think this could be extended to also prevent loading php from within say wp-conte wp-includes folder, right?

rahul286 · February 9, 2013, 8:40pm

Try following:

# Disallow PHP in upload folder  
    location /wp-content/uploads/{  
            location ~ \.php$ {  
                    deny all;                 
                }  
        }

Also, you can add one more line:

location ~ /readme\.(txt|html)$ {   
                    deny  all; access_log off; log_not_found off;   
}

Above line will partially save your WordPress from http://wpscan.org/ ;-)

Please let me know if above works fo you.

ovidiu · February 9, 2013, 10:55pm

BOTH directives work. any other locations you think we should keep safe from .php execution?

Oh, and could this be made more "generic" to catch subfolders too, something along the lines of:

Disallow PHP in upload folder single/multiuser:

location /wp-content/*{
location ~ .php$ { deny all; } }

ovidiu · February 10, 2013, 12:32pm

Ok, they worked on my first test. but now nginx won't restart again unless I remove this one. Best to test yourself again :-(

#Disallow PHP in upload folder single  
location /wp-content/uploads/{     
     location ~ \.php$ {  
                deny all;  
     }

}

rdhingra2 · July 30, 2015, 8:04pm

Did not worked for me still got mail bot file in upload > cache folder (found and removed with the help of clamav)

system · November 9, 2018, 2:00pm