If the uploaded directory is embedded with a PHP file, the file can be executed remotely. For the sake of security, PHP scripts cannot be run on the upload directory.
In Apache, we can use the following method to disable the running of PHP scripts:
<Directory/wp-content/uploads>
Php_flag engine off
</Directory>
The Nginx method is as follows:
Location/wp-content/uploads /{
Location ~ . * \. (Php )? $ {
Deny all;
}
}
For multiple directories, you can restrict them together:
Location ~ * ^/(Uploads | images)/. * \. (php | php5) $
{
Deny all;
}
Lighthttpd
$ HTTP ["url"] = ~ "^/(Forumdata | templates | upload | images )/"{
Fastcgi. server = ()
}
For example, the WordPress attachment directory does not allow PHP to run.
I am using nginx. Here is how to disable it:
Location/wp-content/uploads /{
Location ~ . * \. (Php )? $ {
Deny all;
}
}
Insert your nginx conf file and restart nginx.
The following is an example of a complete VM:
Server
{
Listen 80;
Server_name bbs.vpser.net;
Index index.html index.htm index. php;
Root/home/wwwroot/bbs.vpser.net; include discuz. conf;
Location/wp-content/uploads /{
Location ~ . * \. (Php )? $ {
Deny all;
}
Location ~ . *. (Php | php5 )? $
{
Fastcgi_pass unix:/tmp/php-cgi.sock;
Fastcgi_index index. php;
Fcinclude GI. conf;
}
Access_log off;
}
Run the following command to test the configuration file:/usr/local/nginx/sbin/nginx-t: /usr/local/nginx/sbin/nginx-s reload load the configuration file to make it take effect.