如果上傳目錄被植入 PHP 檔案,即可遠程執行。為了安全起見,我們一般會對上傳目錄禁止運行 PHP 指令碼。
在 Apache 下面我們可以通過一下方法來禁止運行 PHP 指令碼:
<Directory /wp-content/uploads>
php_flag engine off
</Directory>
Nginx 方法如下:
location /wp-content/uploads/ {
location ~ .*\.(php)?$ {
deny all;
}
}
而對於多個目錄的話,可以一起進行限定:
location ~* ^/(uploads|images)/.*\.(php|php5)$
{
deny all;
}
lighthttpd
$HTTP["url"] =~ "^/(forumdata|templates|upload|images)/" {
fastcgi.server = ()
}
例子,WordPress附件目錄禁止運行PHP
我用的是nginx,說說禁止方法:
location /wp-content/uploads/ {
location ~ .*\.(php)?$ {
deny all;
}
}
插入你的nginx conf中,重啟nginx即可。
附上一個完整的虛擬機器主機的例子供參考:
server
{
listen 80;
server_name bbs.vpser.net;
index index.html index.htm index.php;
root /home/wwwroot/bbs.vpser.net;include discuz.conf;
location /wp-content/uploads/ {
location ~ .*\.(php)?$ {
deny all;
}
location ~ .*.(php|php5)?$
{
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
include fcgi.conf;
}
access_log off;
}
添加完執行:/usr/local/nginx/sbin/nginx -t測試組態檔案,執行:/usr/local/nginx/sbin/nginx -s reload 載入設定檔使其生效.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
