What Plugins Run Php Scripts in Upload Directory
WordPress files and directories play a vital role in keeping your site secure. Setting them properly should be one of your biggest priority later on installing WordPress. Setting proper permission of who can see which files and what actions a user can take improves your site security posture significantly. In this mail service, we'll hash out how disabling both PHP execution and directory browsing can improve your site's security.
Disable PHP Execution: Why & How?
Certain WordPress folders such as Uploads or Themes or Plugins are writable past default. This type of permission allows users to upload images and videos on the site. Or install themes and plugins on a site. Every time nosotros install a plugin or a theme, new files are stored in their respective folders. This wouldn't be possible if the Theme and Plugins folders were non writable.
Ane of the reasons why many people prefer using WordPress to build their sites is the power to easily customize a site with the assist of themes and plugins. Anyone tin install any theme or plugin on their website which is possible because Themes and Plugin folders are writable by default. But unfortunately, this type of permission also opens up chances of a hack set on like phishing attacks, SEO spams, animate being force attacks, etc. Hackers can accept advantage and upload a malicious script which can be executed remotely. This will help them proceeds full admission to your site or even destroy your website.
One tin can recall the Mailpoet Hack allowed hackers to upload a malicious PHP code to the Upload folder which they executed to proceeds command over the site.
It's non convenient to remove writing permission because and then, y'all can't upload images, or even install plugins and themes to your site. But what you can exercise is reduce the scope of a successful assail by disabling PHP execution. It'll remove permission to execute in specific folders.
A simple way of disabling PHP execution is to place a special code in the .htacess file of that specific binder where you want to disable PHP execution.
Note: Have backups of your site before modifying the files. A unmarried error in the step we are going to follow could break your site or cause other problems. Backups can ensure that y'all tin quickly revert to a working copy of your site when an event crops up.
Stride 1: To disable PHP execution in the Uploads folder, but create a .htaccess file in the Upload folder. You can discover the folder in wp-content under public_html.
Step 2: At present open notepad (for Windows) or TextEdit (for Mac) to create a file. Include the following code and salve this file as .htaccess (not .htaccess.txt):
# Begin WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /alphabetize.php [50] </IfModule> # END WordPress
Step 3: Save the code and upload the file in the Upload folder.
Step four: Now yous have a new .htaccess file in the Upload folder. Right-click and select Edit. Place the following piece of code in your make new .htaccess file.
<FilesMatch "\.(php|php\.)$"> Order Allow,Deny Deny from all </FilesMatch>
In the image beneath, nosotros placed the code in our .htaccess file.
This ensures that any file having "PHP" will be caught and prevented from execution. If a hacker manages to upload a file like "mailciousPHPFileDisguisedAsJPEFfile.php.jpg", it'll be blocked from execution.
For maximum security, you can add the codes to .htaccess files of plugin and themes folder also.
Manually disabling PHP execution is a bit risky. Ane must tread carefully in the File Manager. A single misstep can cause serious harm to your site. It is easier and less risky to disable PHP execution using a plugin. MalCare Security Service comes with a Site Hardening features that allows users to Block PHP Execution.
Yous will need your FTP details to enable this feature.
Disabling PHP execution harden'due south your site's security just we tin can go one pace further disable directory browsing.
Stop Directory Browsing: Why & How?
Sometimes a company can easily view the directory listing a WordPress site. For instance, visitors to our website Westworld Fansite can view files listed in the wp-includes binder by simply opening "http://westworldfansite.com/wp-includes/" in the browser.
It may seem harmless but directory listing tin reveal sensitive information that hackers can exploit to gain admission to your site. Hence nosotros demand to hibernate listing. While security by obscurity is generally frowned upon, information technology is all-time to hide as much data as possible. The less the hackers know about you, the less likely they are to set on y'all.
To harden our site security, we decided to disable directory browsing by placing the following code in the .htaccess file.
Recall to accept backups of your site earlier modifying the .htaccess files. I mistake can cause major problems on your site. Backups will ensure that you can quickly revert to a working copy of your site when an outcome crops upward.
As remember to edit the .htaccess file of the directory that y'all want users to prevent browsing. For instance, you lot want to protect the binder wp-include, place the following line in the .htaccess file of the binder wp-include:
Options All –Indexes Afterward saving the code, we tried to view the directory listing and a 403 error page appeared.
Over to You lot
Disabling PHP execution and directory browsing tin definitely improve your website security but it'due south only one of the many ways to secure a WordPress site from hack attempts. A few other security measures that y'all tin have include using a security plugin , using an SSL certificate , using a unique and potent username and countersign , implementing HTTP authentication and ii-factor authentication among other things.
Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security problems that admins face.
Source: https://www.malcare.com/blog/disable-php-execution-directory-browsing/
0 Response to "What Plugins Run Php Scripts in Upload Directory"
Post a Comment