admin管理员组

文章数量:1305749

My site loads a bunch of images from the uploads folder, using direct URLs, such as:

.image.png

I'm trying to figure out a remote script execution issue, and one of the things recommended on / is to prevent script execution in the uploads folder, using the .htaccess file:

# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
   deny from all
</Files>

My site is running on IIS, so to acheive the same result, I removed the PHP handler for the uploads folder and all it's subfolders:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
 <system.webServer>
        <handlers>
           <remove  name="php-7.1.7" />
        </handlers>
    </system.webServer>
</configuration>

However, if I use the web.config file, loading an image using a direct URL leads to a http 500 error. Consequently, themes don't load properly.

How would I go about preventing PHP script execution in the uploads folder, without breaking static file loading?

Adding <add name="StaticFile" /> below <remove name="php-7.1.7" /> makes no difference.

My site loads a bunch of images from the uploads folder, using direct URLs, such as:

http://www.example/wp-content/uploads/some.image.png

I'm trying to figure out a remote script execution issue, and one of the things recommended on https://wordpress/support/article/hardening-wordpress/ is to prevent script execution in the uploads folder, using the .htaccess file:

# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
   deny from all
</Files>

My site is running on IIS, so to acheive the same result, I removed the PHP handler for the uploads folder and all it's subfolders:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
 <system.webServer>
        <handlers>
           <remove  name="php-7.1.7" />
        </handlers>
    </system.webServer>
</configuration>

However, if I use the web.config file, loading an image using a direct URL leads to a http 500 error. Consequently, themes don't load properly.

How would I go about preventing PHP script execution in the uploads folder, without breaking static file loading?

Adding <add name="StaticFile" /> below <remove name="php-7.1.7" /> makes no difference.

  • php
  • security
  • scripts
  • iis
Share Improve this question edited Jan 25, 2021 at 1:06 Celso Bessa 1,1288 silver badges18 bronze badges asked May 29, 2018 at 17:35 RyanRyan 1033 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 2

I don't know if that is the right way but the last time I worked with IIS, I used this code to prevent the loading of an PHP script in the uploads folder.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <location path="wp-content/uploads">
    <system.webServer>
        <security>
            <requestFiltering>
                <fileExtensions>
                    <add fileExtension=".php" allowed="false" />
                </fileExtensions>
            </requestFiltering>
      </security>
    </system.webServer>
 </location>

</configuration>

If you try to execute a PHP script in uploads folder or in the subfolders it will result in an 404 Error.

I hope it helps you further.

Usefull Links to that subject:

Translate .htaccess Content to IIS web.config - docs.microsoft

My WordPress web.config - saotn

本文标签: phpHardening uploads folder in IIS breaks images

版权声明:本文标题:php - Hardening uploads folder in IIS breaks images 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741808147a2398632.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。