Support » Plugin: BulletProof Security » Protect WP Uploads Folder with BPS

  • Resolved sally

    (@sallyruchman)


    Hello,

    i would like to know, if its possible to protect also the WP Uploads Folder with BPS Plugin?

    For instance, is it possible to just create hta File and add this:

    # BPS mod_access_compat
    # Allow,Deny
    # First, all Allow directives are evaluated. At least one must match, or the request is rejected.
    # Next, all Deny directives are evaluated. If any matches, the request is rejected.
    # Last, any requests which do not match an Allow or a Deny directive are denied by default.
    #
    # Deny,Allow
    # First, all Deny directives are evaluated. If any match, the request is denied unless
    # it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
    #
    # *Match* -------------------- *Allow,Deny result* -------------------- *Deny,Allow result*
    # Match Allow only ----------- Request allowed ------------------------ Request allowed
    # Match Deny only ------------ Request denied ------------------------- Request denied
    # No match ------------------- Default to second directive: Denied ---- Default to second directive: Allowed
    # Match both Allow & Deny ---- Final match controls: Denied ----------- Final match controls: Allowed
    #
    # NOTE: The zip file extension can be added to block remote access or execution of zip files, several plugins create
    # create either temporary or permanent zip files in the uploads folder. This may block those plugins from being
    # able to create zip files in your uploads folder.
    #
    # BEGIN WHITELIST
    # Examples of whitelisting are commented out below. To create whitelist rules you would delete the # sign in front
    # of the whitelist rule you want to use, add the actual filename or folder name you want to whitelist and also 
    # delete the # sign in front of #Allow from env=whitelist.
    # Whitelist a specific js file in the uploads folder: example.js
    #SetEnvIf Request_URI "example.js$" whitelist
    # Whitelist an entire folder in the uploads folder: /uploads/example-folder/
    #SetEnvIf Request_URI "example-folder/.*$" whitelist
    # END WHITELIST
    #
    # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY
    <FilesMatch "\.(7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|vb|vbe|vbs|war|ws|wsf|xhtml|xml|z)$">
    Order Allow,Deny
    #Allow from env=whitelist
    Deny from all
    </FilesMatch>
    
    # FORBID PHP FILES DISGUISED AS AN IMAGE FILE - example.php.jpg - example.PHP.jpg
    <FilesMatch "\.(php|PHP|\.+(php)|\.+(PHP)).*$">
    Order Allow,Deny
    #Allow from env=whitelist
    Deny from all
    </FilesMatch>

    Thx
    Best regards
    Sally

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author AITpro

    (@aitpro)

    Basically what that file/code does is to make executing files/code for the file types listed in the FilesMatch condition from being executed/processed by/from a Browser. If a hacker had already gained access to your hosting account (Local access vs remote access) then that htaccess file/code would not offer much, if any, protection. The last section of code protects against image files renamed in a way that they could be executed/processed. Hope that helps.

    Plugin Author AITpro

    (@aitpro)

    Assuming all questions have been answered – the thread has been resolved. If you have additional questions about this specific thread topic then you can post them at any time. We still receive email notifications when threads have been resolved.

    Thread Starter sally

    (@sallyruchman)

    Thanks for the Reply. What would be then an Option to protect WP Uploads Folder with BPS Security?

    br

    Plugin Author AITpro

    (@aitpro)

    Do you have the BPS plugin or the BPS Pro plugin? If you have the BPS Pro plugin than that option already exists. The BPS free plugin does not include that option. So you would just need to create your own custom manual solution. ie create a custom htaccess file for the WordPress /uploads folder.

    Thread Starter sally

    (@sallyruchman)

    Ok, Thanks

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.