[wp-trac] [WordPress Trac] #36177: default htaccess should include security measures

[WordPress Trac]

#36177: default htaccess should include security measures
-------------------------+------------------------------
 Reporter:  lelutin      |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  Security     |     Version:
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:
-------------------------+------------------------------

Comment (by bendoh):

 Having just dealt with a site hacked because of Revolution Slider (*fist
 shake*); this sprang to mind and I'm glad there's a ticket for it.

 So <Location> may not be usable in .htaccess, but it appears <Files> is.
 Since wp-content/uploads should presumably never have executable code,
 perhaps adding wp-content/uploads/.htaccess with the following rule
 will work:

 {{{
 <Files *.php>
 deny from all
 </Files>
 }}}


 This works for me, but it may break existing plugins that would (stupidly)
 rely on executing uploaded PHP file.

 But how does this particular .htaccess file get locked down? Presumably
 wp-content/uploads is writable by the webserver, so it doesn't completely
 prevent vulnerable code from manipulating or deleting this file entirely.
 What springs to mind is using a sticky bit on wp-content/uploads so that
 as long as .htaccess isn't owned by the webserver, that file can't be
 manipulated from vulnerable PHP code.

 Unfortunately, sticky bits aren't a thing on Windows, AFAIK.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36177#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform