If the upload directory is populated with PHP files, it can be executed remotely. For security reasons, we generally prohibit PHP scripts from running in the upload directory.
Under Apache, we can disable running PHP scripts by the following methods:
- <Directory /wp-content/uploads>
- php_flag engine off
- </Directory>
Nginx method is as follows:
- location /wp-content/uploads/ {
- location ~ .*\. (php)?$ {
- deny all;
- }
- }
For multiple directories, they can be restricted together:
- location ~* ^/(uploads|images)/.*\. (php|php5)$
- {
- deny all;
- }