Securing WordPress Blog Upload Directory
Published November 10th, 2008Problem Statement:
We recently uploaded a few sample PHP script on as available downloads for an article in this blog and one of our lead engineers realized that WordPress is allowing PHP execution on the upload directory by default! This is BAD! Here is how to fix this simple but potentially high risk problem with WordPress upload directory on a Apache Web server.
Step 1: Edit your Virtual Host Configuration for the Blog
In your virtual host configuration for the blog, add the following directives:
<DirectoryMatch "/uploads/">
AddType text/plain .php
</DirectoryMatch>
This will make sure that any request for a file ending with .php in /uploads/ results in displaying the contents of the file instead of executing it on your server.
Step 2: Restart Apache and test your new settings
Now restart Apache Web server and upload a file with .php extension in one of your blog posts using WordPress. Once file is uploaded and you have added the file link in your blog post, save the post.
You can post a simple script has follows:
Visit the post and click on the file link and see if it runs the script or shows the source code. If you see PHP source code, you are done!
thupeeduptBaw on August 14, 2009
http://getright.invisionzone.com/index.php?showuser=7518 - MILEY CYRUS MILEY CYRUS http://forum.ondertitel.com/index.php?showuser=70663 - kim kardashian kim kardashian http://snowflakebentley.com/mboard2/index.php?showuser=11619 - ZOO TUBE ZOO TUBE http://www.xbox360achievements.org/forum/member.php?u=228352 - Kim Kardashian Kim Kardashian