How can I disable PHP execution in a specific subdirectory?

B

binaryfire

New Member
#1
#1
Hi guys

How can I disable PHP in a specific subdirectory? I've got a media uploads folder where I want to prevent PHP execution (for an added layer of security).

Thanks!
 
Cold-Egg

Cold-Egg

Administrator
#2
#2
Can use rewrite rule to prevent it. Go to the uploads folder and add .htaccess with following rules,

Code: 
RewriteEngine on
RewriteRule (.*)php$ - [F]
 
robyflc

robyflc

New Member
#3
#3
Hi, guys!

I have tried the rewrite rule above but I've just found out that it only works if the file name is explicitly written.
If I have such .htaccess file inside a folder named /uploads, it would prevent someone trying to access

//example.com/uploads/index.php

but they would still be able to access
//example.com/uploads/

and it would show them the index.php file.

I believe the only way to prevent this would be to completely disable the PHP file execution inside de folder but I didn't find a way to do it.
Is there a way to disable PHP execution inside specific directories?
 
robyflc

robyflc

New Member
#6
#6
Cold-Egg said:
How about creating a "/uploads/ " context from web admin and set no to Accessible option.
Click to expand...
I've tried to create a context and got the same result: if I use /wp-contents/uploads/ as the context, file uploads stop working.
If I use /wp-contents/uploads/*.php, file uploads work fine, I cannot access /wp-contents/uploads/index.php but /wp-contents/uploads/ still show me index.php.
 
Cold-Egg

Cold-Egg

Administrator
#10
#10
Hi @robyflc, I see, please ignore the context method.

Please try putting this on the document root .htaccess file
Code: 
RewriteRule ^wp-content\/uploads(\/|.*\/|php)$ - [F,L]
or put the following on the /wp-content/uploads/.htaccess file.
Code: 
RewriteCond %{REQUEST_URI} ^.*(\/|php)$ [NC]
RewriteRule .* - [F,L]
Let us know which one works for you.
 
You must log in or register to reply here.
Top