How to: Disable php processing in wordpress upload folder.

May 18th, 2011

Warning: This post is 12 years old. Some of this information may be out of date.

If you host a WordPress site and have enabled writeable permissions on any of the folders it is recommended that you disable php processing in WordPress upload folders.

If you are running Apache you can do this in the VirtualHosts file as follows:

<Directory "/path/to/my/wordpress/wp-content/uploads">
    php_admin_flag engine off
    AllowOverride None
    DirectoryIndex Off
    RewriteEngine On
    RewriteRule \.php$ - [F,L]
</Directory>

And here's the test:

andrew@andrew:~$ curl -I http://www.euperia.com/img/content/index.php
HTTP/1.1 403 Forbidden
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 222
Date: Wed, 18 May 2011 09:20:59 GMT
X-Varnish: 1332974452
Age: 0
Via: 1.1 varnish
Connection: keep-alive

← Next

10 Skills A Web Developer Needs To Have

Previous →

Subversion TortoiseSVN menu in Ubuntu Nautilus