Robot Butler
  Making those complicated tasks nice and easy.
  A hub for guides, walkthroughs and general information.
Follow us on Twitter RSS Feed
Article Image This guide is specifically for Apache or compatible web services. It will not work with Microsoft IIS.

Sometimes you may find it necessary to have a folder on your web hosting with insecure permissions (such as 777 on Linux or allowing the guest write access on Windows) due to the owner of the files being different from the user the web service runs as, this is common if you want to be able to upload files or images onto your website (such as Wordpress or Joomla). This is dangerous as this allows any files to be uploaded to this location by any user.

You can help make this a little more secure by locking the folder down so that only images and other select files inside this folder can be accessed through the website. This is done by placing some code in a .htaccess file telling the web server to deactivate all scripting options, remove directory indexes and only allow people to view specific file types.

To do this, place the following code into a file named .htaccess and place it into your insecure folder.

php_flag engine off AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .aspx .htm .html .shtml .sh .cgi Options -Indexes -ExecCGI <Files "\.(jpe?g|png|gif|bmp|tiff|swf|flv|mov|avi|mp4)$"> order deny,allow deny from all </Files>

You can add extra file types to the list on the top line, separating each with a pipe (the vertical line). The format of the file list is RegEX so you may want to avoid making too many changes unless you are familiar with how RegEX works.

Keep in mind this doesn't make you impervious to attacks, your folder is still insecure so people can still try and exploit it by uploading into it as another user (especially on a shared hosting platform) but if you absolutely must use 777 permissions on a folder then this will give you a little extra security at no expense.


ixycreativity   ~   Posted on 2012-12-21 13:27:28
This works, but it prevents a gallery plugin from showing my images as well.
How can I make "php_admin_flag engine off" work for everything except for the super-zoom-gallery plugin, which is in another folder?
Benjamin Hodgetts   ~   Posted on 2012-12-21 13:28:58
You should be able to put "php_admin_flag engine on" in that plugin's folder which re-enables PHP for that specific folder.
Jeff   ~   Posted on 2013-03-18 14:18:02
And if you have access by ssh you can also make the .htaccess owned by root e.g. This makes sure that you'll need root-access to change the .htaccess.

Post a Comment

    Email (not displayed)

The name of this website is Robot...      


  • 14 categories
  • 50 articles

Site, design and code by Benjamin Hodgetts.