I have taking over a site for someone and it is a dreaded word press site. I have no experience of word press or CMS for that matter. I do my coding from scratch.

I got the site working. When uploaded the web files to document root with an ftp client i made sure all folders are 755 and every file is 644.

However there is an uploads folder inside the document root since this is 755 and files 644 i guess the administrative users etc wont have permissions to upload images etc

Im getting no answeres on the word press site. The installation documentation didnt even mention file permissions.

I dont think my host will allow me to store any folders outside of the document root, and doubt you can even configure wp to do so. So moving the uploads folder is not an option.

Personally as a web designer i would never store any uploaded files inside the doc root that is asking for trouble. However since i dont have the abilty to store below doc root. I must find another method to secue this folder. i cant just set it to 777 or whatever as you know i will get hacked. Usually i would just 777 it and protect it with htaccess then any files would be fetched and outputed with a php script. Unfortunatly this stupid wordpress application has no htaccess file inside the uploads folder and allows users to browse the content directly. Therefore creating an htaccess will be very tricky anyway. I dont know what the upload scripts allow. But im guessing PUT php file could be used to cause a nightmare. If i could figure out what was allowed to be uploaded could i restrict users from browsing content that didnt match file extensions etc. How do i stop the hacker inserting bogus files when the content in this folder is browsable.

I just convinced myself that word press is a load of rubbish….

I found this article

http://digwp.com/2012/09/secure-media-uploads/

So i inserted the htaccess file in to the uploads folders etc
then i did recursive 777 on the uploads folder.

I wonder is this right because now all ths files inside are 777 could these by deleted?

I was trying PUT on the 777 folder

curl -T file.php http://example.com/wp-content/uploads/

Nothing appeared in there. But i am unsure the correct method a hacker would use to insert a script? Not sure i even want to know that

I did ftp a php file in to that folder and the site doesnt allow access to it when the htaccess file is there.

Im still worried though that these files could be deleted. and scripts could still be insrted i guess. But maybe not executed.

Another thing i wondered is if shoule redirect folder levels to GET queries to a script with mod rewrite.

something like

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{query_string} ^(.*)$
    RewriteBase /
    RewriteRule ^(wp-content)/(uploads)/([A-Za-z0-9_.-]+)$ /get_file.php?level1=$3
    RewriteRule ^(wp-content)/(uploads)/([A-Za-z0-9_.-]+)/([A-Za-z0-9_.-]+)$  /get_file.php?level1=$3&leve2=$4 [QSA]
    RewriteRule ^(wp-content)/(uploads)/([A-Za-z0-9_.-]+)/([A-Za-z0-9_.-]+)/([A-Za-z0-9_.-]+)$  /get_file.php?level1=$3&leve2=$4&level3=$5 [QSA]
    RewriteRule ^(wp-content)/(uploads)/([A-Za-z0-9_.-]+)/([A-Za-z0-9_.-]+)/([A-Za-z0-9_.-]+)/([A-Za-z0-9_.-]+)$ /get_file.php?level1=$3&leve2=$4&level3=$5&level4=$6 [QSA]
</IfModule>

Then completelty deny any access to that directory?

<Directory /wp-content/uploads>
     order deny,allow
     Deny From All
</Directory>

Any help would be appreciated.

Read more here: secure word press uploads folder


Solution:

If you know the solution of this issue, please leave us a reply in Comment section, to update the question.

Related Wordpress search:

, , , ,

Wordpress related questions and answers: