Title: Hardcoded wp-content/uploads directory since 4.8 Last modified: August 30, 2016 --- # Hardcoded wp-content/uploads directory since 4.8 * Resolved [pyramusnl](https://wordpress.org/support/users/pyramusnl/) * (@pyramusnl) * [10 years, 10 months ago](https://wordpress.org/support/topic/hardcoded-wp-contentuploads-directory-since-48/) * I think there is an issue with your new rule for preventing execution in Uploads folder. Your updated rule specifies the uploads directory to be inside “/wp-content/”. This will only work if you did not change the name of the content folder – which most plugin users would have done, naturally. * A (somewhat) better rule in htaccess is below. * ``` # Disable PHP in Uploads - Security > Settings > System Tweaks > Uploads RewriteRule ^(.*)/uploads/.*\.(?:php[1-6]?|pht|phtml?)$ - [NC,F] ``` * But I hope you guys can come up with a more strict solution where the variable for the content dir from wp-config.php is used as well. * [https://wordpress.org/plugins/better-wp-security/](https://wordpress.org/plugins/better-wp-security/) Viewing 6 replies - 1 through 6 (of 6 total) * [Gerroald](https://wordpress.org/support/users/gerroald/) * (@gerroald) * [10 years, 10 months ago](https://wordpress.org/support/topic/hardcoded-wp-contentuploads-directory-since-48/#post-6308379) * Hi Pyramusnl, * Thanks for reporting this. I’ve filed a bug report. I’ve also added a link to this post so I can update you with progress. * Thanks, * Gerroald * [Aaron D. Campbell](https://wordpress.org/support/users/aaroncampbell/) * (@aaroncampbell) * [10 years, 10 months ago](https://wordpress.org/support/topic/hardcoded-wp-contentuploads-directory-since-48/#post-6308389) * The directory used for the .htaccess rule is pulled from `get_option( 'upload_path')` so it should be right for your install *when it is written*. We will look into possibly monitoring and updating that rule if the content directory is changed. * Thread Starter [pyramusnl](https://wordpress.org/support/users/pyramusnl/) * (@pyramusnl) * [10 years, 10 months ago](https://wordpress.org/support/topic/hardcoded-wp-contentuploads-directory-since-48/#post-6308425) * Hey there, thanks so much for the quick reply. * [@aaron](https://wordpress.org/support/users/aaron/), i’m not sure i understand correctly: although [ithemes security seems to know about the renaming](https://www.dropbox.com/s/aji2kaw1i2ae14n/Screenshot%202015-07-08%2019.13.30.png?dl=0), the htaccess rule was still setup incorrectly for my installation, like this: ` RewriteRule ^wp\-content/uploads/.*\.(?:php[1-6]?|pht|phtml?)$ - [NC,F]` * I just checked my wp-config and see i’ve correctly defined **WP_CONTENT_DIR** and **WP_CONTENT_URL**. The uploads folder is just residing in this content folder like usual. Everything on my site seems to be working fine, including uploads in the correct folder. * Please let me know if you think if the plugin is indeed operating like designed or if it should have “pulled” the correct folder? * Thanks! * [Aaron D. Campbell](https://wordpress.org/support/users/aaroncampbell/) * (@aaroncampbell) * [10 years, 10 months ago](https://wordpress.org/support/topic/hardcoded-wp-contentuploads-directory-since-48/#post-6308431) * I’ll do some further testing. It looks like there might be some cases where the content directory is changed, the upload path option is set to wp-content/uploads, and WordPress replaces it with WP_CONTENT_URL . ‘/uploads’. We’ll look into it and try to get firm up the way we handle these rewrites. * Thanks for the report! * [Gerroald](https://wordpress.org/support/users/gerroald/) * (@gerroald) * [10 years, 9 months ago](https://wordpress.org/support/topic/hardcoded-wp-contentuploads-directory-since-48/#post-6308732) * Hey Pyramusnl, * This is now fixed in 4.9.0. Can you please confirm? * Thanks, * Gerroald * Thread Starter [pyramusnl](https://wordpress.org/support/users/pyramusnl/) * (@pyramusnl) * [10 years, 9 months ago](https://wordpress.org/support/topic/hardcoded-wp-contentuploads-directory-since-48/#post-6308747) * Yay, confirmed! * Thanks for the update. Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘Hardcoded wp-content/uploads directory since 4.8’ is closed to new replies. * ![](https://ps.w.org/better-wp-security/assets/icon.svg?rev=3529351) * [Kadence Security – Password, Two Factor Authentication, and Brute Force Protection](https://wordpress.org/plugins/better-wp-security/) * [Frequently Asked Questions](https://wordpress.org/plugins/better-wp-security/#faq) * [Support Threads](https://wordpress.org/support/plugin/better-wp-security/) * [Active Topics](https://wordpress.org/support/plugin/better-wp-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/better-wp-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/better-wp-security/reviews/) ## Tags * [htaccess](https://wordpress.org/support/topic-tag/htaccess/) * [php](https://wordpress.org/support/topic-tag/php/) * [wp-content](https://wordpress.org/support/topic-tag/wp-content/) * 6 replies * 3 participants * Last reply from: [pyramusnl](https://wordpress.org/support/users/pyramusnl/) * Last activity: [10 years, 9 months ago](https://wordpress.org/support/topic/hardcoded-wp-contentuploads-directory-since-48/#post-6308747) * Status: resolved