Stop PHP files from executing.

Apache PHP and FreeBSD

If you are a maintainer of a websiter or CMS, don’t always trust the built in security.  If the user can upload images or stories to the web site then a hacker may be able to upload script or code as well.  One easy way to mitigate this is to make sure that you do not allow scripts to execute by turning off PHP. 

 

Here is what I use.  Create a .htaccess file in your image or upload directory (if there is not already one).  Place the following lines in it:

 

Options -Indexes
Options -ExecCGI
php_flag engine off
AddType text/plain .php
AddType text/plain .phps
AddType text/plain .php3
AddType text/plain .php4
AddType text/plain .php5
RemoveHandler .php
# SetHandler default-handler
order allow,deny
deny from all

Make sure that the .htaccess file is not writable by the web server.

# Chown root:www .htaccess
# chmod 440 .htaccess

Last this to do is test your setup.  Please a php file into the folter and make sure you are not able to execute it.

 

 

Leave a Comment

Your email address will not be published. Required fields are marked *