Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Deny access to all PHP files in a folder
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Deny access to all PHP files in a folder

aliletalilet Member
edited July 2023 in Help

Using nginx and php-fpm. I want to deny access to everyone on PHP files in uploads folder of WordPress.Have written following in config but I can access the file in browser using somesite.com/wp-content/uploads/myfile.php. This file contain just one line phpinfo() and the browser shows everything.
File permission is www-data:www-data with 644

location ~* /(?:uploads|files)/.*.php$
{
deny all;
access_log off;
log_not_found off;
}

location ~* /wp-content/uploads/.*.php$
{
deny all;
access_log off;
log_not_found off;
}

What is the correct syntax to deny access?

Thanked by 1truweb

Comments

  • location ~* /wp-content/uploads/.*.php$ {
      deny all;
      access_log off;
      log_not_found off;
    }
    
  • LeviLevi Member

    This is sooo ugly in compare to .htaccess.

  • AXYZEAXYZE Member
    edited July 2023

    As I hate such one-liners, let's use nested locations:

    location /wp-content/uploads {
        location ~* \.php$ {
          deny all;
          access_log off;
          log_not_found off;
        }
     }
    

    Or you can use 'if' statement too

    location /wp-content/uploads {
        if ( $request_uri ~* \.php$ ) {
            deny all;
            access_log off;
            log_not_found off;
        }
    }
    
    Thanked by 1alilet
  • AXYZEAXYZE Member

    @LTniger said:
    This is sooo ugly in compare to .htaccess.

    But so much more efficient in terms of IO, because its just single file. Webserver doesn't need to scan for .htaccess in every dir before sending files.
    Once you get used to nginx quirks its pretty easy.

  • aliletalilet Member

    Ok I got what the issue was. My code to deny all was written after PHP-FPM block. So, all deny access to PHP files blocks should come before the following code:

    location ~ \.php$ {
                    include snippets/fastcgi-php.conf;
                    fastcgi_pass unix:/var/run/php/php-fpm.sock;
                    fastcgi_param HTTPS on;
            }
    
  • aliletalilet Member

    One line code to block wp-includes, wp-content, uploads, *.ini, xmlrpc.php, *.ht

    location ~* (/wp-content/.*\.php$|/wp-includes/.*\.php$|/xmlrpc\.php$|/(?:uploads|files)/.*\.php$|/\.ht|^/\.user\.ini) {
                deny all;
                access_log off;
                log_not_found off;
            }
    
  • wadihwadih Member
    edited July 2023

    Don't know if that would help but another way perhaps you could protect your phpinfo() file is by adding an IP address check, replacing ww.xx.yy.zz by yours:

    if ($_SERVER['REMOTE_ADDR'] != "ww.xx.yy.zz"){
    die();
    }
    
Sign In or Register to comment.