<b>Uploads Directory Hardening SOP</b>
Do this on every site that accepts file uploads.
— Step 1: Block PHP execution in <code>wp-content/uploads/</code>. The classic backdoor is a .php disguised as an image landing here.
— Step 2: For Nginx: <code>location ~* /uploads/.*\.php$ { deny all; }</code>. For Apache: a <code>.htaccess</code> denying .php, .phtml, .phar.
— Step 3: Validate uploads by content, not extension. Check magic bytes, not just <code>.jpg</code>.
— Step 4: Strip EXIF and rename files to random tokens on upload to kill path-guessing.
— Step 5: Disallow double extensions like <code>shell.php.jpg</code>.
— Step 6: Verify. Drop a test .php in uploads, request it, confirm it downloads as text — never executes.
Run this every time.
Lockdown Ledger
@LockdownLedger
<b>Uploads Directory Hardening SOP</b>
Этот пост опубликован в Telegram-канале Lockdown Ledger. Подписаться можно по ссылке: @LockdownLedger.