WordPress.org

Ready to get started?Download WordPress

Forums

Really Simple CAPTCHA
Suggestions to secure the wpcf7_captcha directory (4 posts)

  1. MickeyRoush
    Member
    Posted 2 years ago #

    This is just a suggestion, but I would highly recommend that if it's possible that you incorporate this idea into your plugin.

    By default this plugin creates a directory 'wpcf7_captcha' in your 'uploads' directory. There it creates a .php and .png file when needed.

    Well, users by default have the ability to upload files. If they knew that you were using this plugin and could verify that directory was there, it's possible that they could upload a shell script there.

    My suggestion would be to incorporate the creation of an .htaccess file there with the following contents:

    Order Allow,Deny
    <FilesMatch "^[0-9]+\.png$">
    Allow from all
    </FilesMatch>

    That way, only the .png files that are created will be accessed via HTTP. Nothing else, not even a double extension. Ideally it would be better to replace the '+' with creation character limit set by the plugin if any. But I couldn't confirm the limit. Maybe something like {1,15}.

    This is just a suggestion and I welcome any feedback.

    http://wordpress.org/extend/plugins/really-simple-captcha/

  2. Takayuki Miyoshi
    Member
    Plugin Author

    Posted 2 years ago #

    Nice.

    Actually, I had the same idea, but your .htaccess looks better than mine.

  3. westerdaled
    Member
    Posted 2 years ago #

    Hi

    This looks good can you confirm the final version of this .htaccess in the 'wpcf7_captcha' dir for those us who are newbies

    Thanks Daniel

  4. axiommedia
    Member
    Posted 1 year ago #

    Must say this solution solved the issue with captcha image was not showing up.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic