[wp-trac] [WordPress Trac] #36177: default htaccess should include security measures
WordPress Trac
noreply at wordpress.org
Thu Apr 28 15:17:19 UTC 2016
#36177: default htaccess should include security measures
-------------------------+------------------------------
Reporter: lelutin | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
-------------------------+------------------------------
Comment (by bendoh):
Having just dealt with a site hacked because of Revolution Slider (*fist
shake*); this sprang to mind and I'm glad there's a ticket for it.
So <Location> may not be usable in .htaccess, but it appears <Files> is.
Since wp-content/uploads should presumably never have executable code,
perhaps adding wp-content/uploads/.htaccess with the following rule
will work:
{{{
<Files *.php>
deny from all
</Files>
}}}
This works for me, but it may break existing plugins that would (stupidly)
rely on executing uploaded PHP file.
But how does this particular .htaccess file get locked down? Presumably
wp-content/uploads is writable by the webserver, so it doesn't completely
prevent vulnerable code from manipulating or deleting this file entirely.
What springs to mind is using a sticky bit on wp-content/uploads so that
as long as .htaccess isn't owned by the webserver, that file can't be
manipulated from vulnerable PHP code.
Unfortunately, sticky bits aren't a thing on Windows, AFAIK.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/36177#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list