Securing WordPress Uploads Folder

burnedfaceless
burnedfaceless used Ask the Experts™
on
Recently I had a WordPress site for a friend. He never installed it, and someone installed it and uploaded a file that gave them access to my server.

The server wasn't really important, hence me being sort of lax with the security, but it got me thinking about how I could better secure WordPress installations on personal servers.

I was thinking I could either move the uploads directory outside of the web root. Or I could maybe configure Apache or some settings to where PHP files won't run.

I'm not going to post this on Stack Overflow because it's sort of discussion based. So any help would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
You could also change the permissions on the folder itself. However, it is good that you are thinking about securing WordPress. Make sure to update things frequently.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
1) Recently I had a WordPress site for a friend. He never installed it, and someone installed it and uploaded a file that gave them access to my server.

Define what "access" means. Might be ssh or sftp or something else.

A starting point is required.

2) The server wasn't really important, hence me being sort of lax with the security, but it got me thinking about how I could better secure WordPress installations on personal servers.

You won't "secure WordPress", you'll secure your entire server which will "secure WordPress" as a side effect.

3) I was thinking I could either move the uploads directory outside of the web root.

Won't do any good. Either your server is secure or not. Makes no difference where you uploads directory lives.

Either server is completely secure or completely insecure.

4) Or I could maybe configure Apache or some settings to where PHP files won't run.

You can attempt this + you'll require adding many rule exceptions as WordPress is written in PHP, so many PHP files must be manually allowed to execute.

Then you'll have to possibly repeat this for your theme + plugins.

Much simpler to secure your server.

5) Best first step is reading up about securing Linux servers + you'll only be able to do this type of work if you have root access to your server. If you have no root access, your hosting company handles server security.

Author

Commented:
David, what happened is my friend was interested in learning WordPress, so I installed it for him and pointed a domain to the server.

He never actually installed it (created a username and password) and a hacker created a username and uploaded this file which gave him access to my server.

I'm more careful about leaving things open on my 'real' server. I use the pass password manager and I use U2F two step verification, etc.

But is there any way to keep PHP files from being executed. Whenever I build a site from scratch I always make sure that files are uploaded outside of the webroot. I was simply wondering if this is possible in WordPress, and if not, should I just change the folder permissions on the server?
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

Commented:
Is there something specific you are worried about or just asking in general? WP has a good post about this https://wordpress.org/support/article/hardening-wordpress/  You can do all the items listed there. However, once you start adding plug ins and more complex themes or builders, you do have to keep up with making sure all updates are current. If a plug in has not been updated in 6 months, I would start getting worried and if it has been a year, replace it.  That will most likely be the weakest link.  Some themes have builders or other functions that attempt to make things easy. Those types of complex themes may be more likely to have a vulnerability too.
Primarily, Wordpress, PHP, and apache need to be constantly updated to keep somewhat secure.

There are a lot of security holes being found on Wordpress because it is popular.  You should be updating it all the time to keep ahead of most of the security holes. You'll never get ahead of the 0day vulnerabilities, so you'll never be absolutely secure.

If your friend doesn't actually need it on the internet, then don't put it on the internet.  If he can work on it on a local network, then just have it available only on the intranet.  That will block all the external attacks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial