How to disable php files in upload folder of WordPress with IIS
This is an another security tip to harden your WordPress site running on IIS server. As we know hackers always try to find loop holes in the website to hack it. It is better to prepare yourself for each type of attack. A smart developer always try to minimize the chances of hacking by implementing security measures.
Attack on upload folder by inserting .php files to it is one of the most used hacking technique. Hackers generally insert a PHP file to your upload folder and execute it to get useful information or delete something.
Generally, if we insert a PHP file to our upload folder it works as others. To check this just upload a “index.php” file to your upload folder with below mentioned code :
<?php echo "index code working"; ?>
Just prepare a blank index.php file, copy and paste above mentioned code and upload it to your upload folder here “your-website-root/wp-content/uploads“. After uploading this file just go to your browser and hit that “index.php” file.
Your url will be http://example.com/wp-content/uploads/index.php. Where “example.com” is your domain name.
After this you will see, the php code written in you “index.php” file is working as other PHP files. Just look at the image attached to the post.
Now we must stop this execution of PHP files to prevent from hackers. To do this just follow the below mentioned steps :
Step 1. Prepare a blank “web.config” file
Step 2. Just copy and paste below mentioned code to your “web.config” file :
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers> <clear /> <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" /> </handlers> </system.webServer> </configuration>
Step 3. Now just upload this file in your upload folder.
You are done now. Just look at the upload folder in image, you will find that your “index.php” file and your “web.config” files are at same place in uploads folder.
After this just hit that url again “http://example.com/wp-content/uploads/index.php” where “example.com” is your domain.
You will find that the code written in your “index.php” is not able to executable. You will find a message like “The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.” Just look at the another image after applying the above changes.