WordPress is the most widely used CMS platform, making it a prime target for hackers. Although WordPress plugins add incredible functionality, they can also create vulnerabilities if not properly maintained.
Hackers often exploit weaknesses in outdated plugins or poorly managed security updates, especially in areas where users can upload files or submit data to the server. In this post, I will discuss how hackers typically use file uploads as a means to inject malicious code, and how you can secure your site against such attacks.
3 Steps of a File Upload Attack
-
Scanning for Vulnerabilities: Hackers typically start by using security scanning tools to find weak points in your WordPress site. These tools analyze the website to identify exploitable vulnerabilities, such as outdated plugins or unpatched security holes. It’s similar to asking a doctor for health advice and then doing exactly the opposite.
-
Uploading Malicious Files: Once the hacker identifies a vulnerability, they upload a malicious PHP file, often named something like
attack.php, to your site. The file is placed in the/wp-content/uploads/directory, a common folder for storing uploaded images, documents, and other media files. -
Executing the Attack Script: After uploading the malicious file, the hacker can access it directly by navigating to:
https://example.com/wp-content/uploads/attack.php
The Reason Behind the Vulnerability
The root cause of this problem is how web servers handle requests through the .htaccess file. Typically, .htaccess configurations look something like this:
RewriteCond %{REQUEST_FILENAME} !-f # File does not exist
RewriteCond %{REQUEST_FILENAME} !-d # Directory does not exist
RewriteRule . /index.php [L]
This setup ensures that if a requested file or folder doesn’t exist, the server reroutes the request to index.php, which processes the website’s logic. However, if the hacker knows the exact path to their malicious PHP file, they can bypass this and directly call the file, as it is technically a “file that exists” on the server.
How to Fix the Issue
To protect your site from these types of attacks, you need to implement a few simple security measures.
1. Restrict PHP File Execution in Upload Folders
Since the /wp-content/uploads/ folder should only store media files (like images, documents, CSS, or JS), PHP files have no business being there. You can create a .htaccess file in the /wp-content/uploads/ folder to block the execution of PHP files:
<Files ~ "^.*\.([Pp][Hh][Pp])">
Order allow,deny
Deny from all
</Files>
This code ensures that even if a hacker uploads a malicious PHP file, it will not be executed from the uploads folder.
2. Prevent Overriding with Nested .htaccess Files
A significant flaw of .htaccess files is that they can be overridden by additional .htaccess files placed in subdirectories. For instance, a hacker could upload a .htaccess file into /wp-content/uploads/elementor/ with a directive to allow PHP execution, bypassing your security:
Allow from allTo prevent this, you need to configure your server settings so that .htaccess files in subdirectories cannot override the security rules. Add the following configuration to your Apache virtual host:
<VirtualHost :443>
DocumentRoot "/var/path/to/example.com"
ServerName example.com
SSLEngine on
SSLCertificateFile "server.crt"
SSLCertificateKeyFile "server.key"
<Directory "/var/path/to/example.com/wp-content/uploads/">
AllowOverride None
</Directory>
</VirtualHost>
This will ensure that no .htaccess or php.ini files uploaded to subdirectories can override your main security settings.
You will need to edit the Apache configuration file where your Virtual Hosts are defined. This is usually found in one of the following locations, depending on your server setup:
/etc/httpd/conf/httpd.conf(on CentOS or Red Hat)/etc/apache2/sites-available/000-default.conf(on Ubuntu or Debian)
Conclusion
By following these steps, you can significantly reduce the risk of file upload vulnerabilities in your WordPress site. Always ensure your plugins are up-to-date, restrict PHP file execution in your uploads folder, and lock down your server’s configuration to prevent malicious overrides.
Securing your website is an ongoing task, but taking these precautions will help keep hackers at bay.
Hi, I’m Nghia Vo: a computer hardware graduate, passionate PC hardware blogger, and entrepreneur with extensive hands-on experience building and upgrading computers for gaming, productivity, and business operations.
As the founder of Vonebuy.com, a verified ecommerce store under Vietnam’s Ministry of Industry and Trade, I combine my technical knowledge with real-world business applications to help users make confident decisions.
I specialize in no-nonsense guides on RAM overclocking, motherboard compatibility, SSD upgrades, and honest product reviews sharing everything I’ve tested and implemented for my customers and readers.
