WordPress uploads issue files with php in the name are blocked!

iThemes Security (formerly Better WP Security) has implemented some rules to prevent unwanted actions on your WordPress website. One of these Rules is to prevent php execution in side “uploads” folder. The line which is supposed to do it is in the .htaccess file. The line says:

RewriteRule ^(.*)/uploads/(.*).php(.?) – [F]

Although it was supposed to prevent calling .php files with in “uploads” it just blocks calling anything which has “php” in it. So if you have “cake-php-paginator-model.jpg” as image file name which you upload to Media it would show you 403 access denied error when you directly try to open it or a broken image in the place of image.

So if you just uploaded a file to media and it seemed to upload fine but a “broken image” icon showed up there where the image you just uploaded should have been and have you installed iTheme security plugin, keep on reading.

How to fix it?

Well, it is iThemes Security people who are supposed to fix it, in the first place. But if you have upgraded to the latest iTheme security plugin and are still facing this issue believe me they didn’t have do it yet. So keep on reading.

Ok, so our Rewrite rule needs to be corrected. Or in fact replaced with a better one which will do what it is supposed to do, i.e. to prevent executing php inside “uploads”. In fact this very rule they have place does not STOP executing the php scripts as all! It just prevents opening a .php through HTTP! How’s that? I won’t explain it anyways! Let’s just fix so our images having “php” are displayed.

You have two choices (all credit goes to Thomas O.) (Ref. http://goo.gl/AOyrN6)

If you just wanted to correct what iTheme Security tried to do to prevent opening “.php” pages just replace the rule with:

[code]RewriteRule /uploads/.*\.php – [F][/code]

so that it escape the period (.) just before “php”. So that it just blocks just the urls which include “.php” and not “php”. A period (.) without escaping would match anything otherwise.

Second choice is to do the correct thing, that is, to just prevent executing php scripts inside domain “uploads”. The following piece of code placed somewhere independently in the .htaccess will do it:

[code]Options -ExecCGI
RewriteRule /uploads/.*\.php – [H=cgi-script,NC,L][/code]

For the explaination of the lines above please check the source page http://goo.gl/AOyrN6

Leave a Reply