Disable PHP on a folder

A web site had vlunerability, all allowed hacker to upload backdoor script to “uploads” folder used by the script.

As a quick fix, i disabled PHP execution from “uploads” folder. Doing this for any site is a good dea when if your site is not vlunerable at the moment.

Method 1

To disable PHP execution, create a file with name .htaccess

vi .htaccess

1	vi .htaccess

Add

php_flag engine off

1	php_flag engine off

Method 2

In .htacess, add

RewriteRule ^.*\.php$ - [F,L]

1	RewriteRule ^.*\.php$ - [F,L]

Only Allow specifc PHP files

Only index.php is allowed. Any other PHP script will result in 403 error.

<FilesMatch ".*\.(phtml|php|PhP|php5)$">
Order Allow,Deny
Deny from all
</FilesMatch>
<FilesMatch "(index).php$">
Order Allow,Deny
Allow from all
</FilesMatch>

Order Allow,Deny

Deny from all

</FilesMatch>

Order Allow,Deny

Allow from all

</FilesMatch>

See htaccess

Only Allow specifc PHP files

Leave a Reply Cancel reply