WordPress.org

Ready to get started?Download WordPress

Forums

Disabling uploads (13 posts)

  1. Edd
    Member
    Posted 8 years ago #

    How can I completely remove the upload field from the post page? I've looked at post.php and can't find the code for the uploader anywhere! I want to remove because it's a multi user blog and I don't have the space to allow uploads. Plus WordPress 2.0 won't give me any options what so ever as to limit the size of files, allowed files, or those who are allowed to upload.
    thanks!

  2. Arlo
    Member
    Posted 8 years ago #

    Comment out line 220 in "/wp-admin/edit-form-advanced.php" and line 184 in "edit-page-form.php".

  3. Edd
    Member
    Posted 8 years ago #

    Thanks for the reply. I just managed to get the uploads working properly.. so how do I set the maximum file size for uploads?

  4. Arlo
    Member
    Posted 8 years ago #

  5. Edd
    Member
    Posted 8 years ago #

    Ahh that's great, thanks a lot Arlo!

  6. serialdeviant
    Member
    Posted 8 years ago #

    I have a similar question.

    Oh, and line 220 on edit-form-advanced is <input name="publish" type="submit" id="publish" tabindex="5" accesskey="p" value="<?php _e('Publish') ?>" /> and line 184 in edit-page-form is blank. I'm not sure these are the right lines to comment out.

    Should it be

    <?php
    if (current_user_can('upload_files')) {
    $uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
    $uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&amp;post=$uploading_iframe_ID", 'inlineuploading');
    $uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
    if ( false != $uploading_iframe_src )
    echo '<iframe id="uploading" border="0" src="' . $uploading_iframe_src . '">' . __('This feature requires iframe support.') . '</iframe>';
    }
    ?>

    (Lines 236-246 and 198-208 respectively).

    I'm not a PHP coder, so if someone could take pity on me and actually explain if I need to comment out ALL the lines (as in, insert // at the start of each line) or just the first one, then if I can delete the inline-uploading PHP file from the server?

    My web host has told me that it can be a break in point for hackers and I was hacked 4 times in 2 days.

    Andrea

  7. serialdeviant
    Member
    Posted 8 years ago #

    HELP! My site has been hacked again and I really need an answer to this question before I wipe my account and start afresh!

  8. maerk
    Member
    Posted 8 years ago #

    I have a plugin that removes the inline uploader, that might help you.

    http://beingmrkenny.co.uk/blog/2006/01/remove-inline-uploader/

    It does depend on how the hackers are getting in.

    Have you filed a bug report? Security issues are usually a matter of some urgency.

    http://codex.wordpress.org/Submitting_Bugs

  9. serialdeviant
    Member
    Posted 8 years ago #

    I have checked out your plugin, and plan to use it (way ahead of you there, hehe), along with deleting the inline-uploading.php file altogether (after the account has been reset, as it were).

    Most unfortunately, I'm not technical enough to work out if that is the real problem - I'm just trying to cover all the bases.

  10. maerk
    Member
    Posted 8 years ago #

    Did your hosts give you any more information about the attack? See if they know where the vulnerability lies, exactly.

  11. serialdeviant
    Member
    Posted 8 years ago #

    All they said was hacks normally happen to their customers who have PHP scripts that allow file uploading. They said they could not find out how it was happening.

    That was after I escalated it to management - earlier, all they said was 'Your scripts are outdated, you need new ones.' When I asked exactly which scripts, I was greeted with a stunning silence. That's when I decided to escalate.

    Is it possible for a hacker to insert malicious code into a database entry, and get in from there? I'm trying really hard to work out what is the cause / minimise the likelihood of it happening again.

  12. serialdeviant
    Member
    Posted 8 years ago #

    I have run the disable inline uploading plugin and not uploaded the inline-uploading.php file. The account was wiped and I started from scratch (after restoring the database, of course). So it's not been hacked yet. But we'll see.

  13. rathjaus
    Member
    Posted 7 years ago #

    You can also use what is written here: http://blogs.securiteam.com/index.php/archives/658 which will get rid of the option in future versions as well.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags