Since WordPress sites need to allow their users to upload new content, WordPress’ upload directory needs to be writable. To such an extent, your
wp-contnet/uploads directory should be considered a potential entry point.
The biggest potential threat is the uploading of PHP files. WordPress won’t allow users to upload PHP files within its administrative console, however, it may be the case that a plugin or theme allows file uploads without using the designated WordPress APIs for doing so. This could result in a malicious PHP file being uploaded and consequently executed on the server.
The best approach to mitigate this potential security risk is to deny the web server from serving any PHP files in the
wp-content/uploads directory using the following rule.
<Directory "/var/www/wp-content/uploads/"> <Files "*.php"> Order Deny,Allow Deny from All </Files> </Directory>
10th and final article in the series on WordPress Security: Secure your Debug Logs
Read the previous article in the series about WordPress Security – Restrict Direct Access to Plugin and Theme PHP files