If you are a maintainer of a websiter or CMS, don’t always trust the built in security. If the user can upload images or stories to the web site then a hacker may be able to upload script or code as well. One easy way to mitigate this is to make sure that you do not allow scripts to execute by turning off PHP.
Here is what I use. Create a .htaccess file in your image or upload directory (if there is not already one). Place the following lines in it:
Options -IndexesOptions -ExecCGI
php_flag engine offAddType text/plain .phpAddType text/plain .phpsAddType text/plain .php3AddType text/plain .php4AddType text/plain .php5RemoveHandler .php
# SetHandler default-handlerorder allow,denydeny from all
Make sure that the .htaccess file is not writable by the web server.
# Chown root:www .htaccess# chmod 440 .htaccess
Last this to do is test your setup. Please a php file into the folter and make sure you are not able to execute it.