Restrict access to upload folders (.htaccess)

To restrict accessing / executing php or other scripts from uploads or other restricted folders, use this code in .htaccess file put in that upload folder. If possible please have ownership of this .htaccess file as root and not your web server to prevent overwriting.

This is syntax for an Apache webserver.

1. Ownership. ## Ensure your upload directory is owned by whatever process runs your web server (usually www-data or apache) - and ensure permissions are set to 755 AND NOT 777!

e.g. chown apache:apache -R uploads/ chmod 755 -R uploads/

2. .htaccess ## # Don't list directory contents IndexIgnore * # Disable script execution AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .php9 .pl .py .js .jsp .asp .htm .html .shtml .sh .cgi Options -ExecCGI -Indexes

Only the following file extensions are allowed (pdf, rtf, odf, doc, docx, txt, wpd)

Order Allow,Deny Deny from all <FilesMatch "\.([Pp][Dd][Ff]|[Dd][Oo][Cc][Xx]?|[Rr][Tt][Ff]|[Oo][Dd][Ff]|[Tt][Xx][Tt]|[Ww][Pp][Dd])$"> Allow from all </FilesMatch>

Block double extensions from being uploaded or accessed

<FilesMatch ".*.([^.]+).([a-zA-Z0-9]+)$"> Order Deny,Allow Deny from all

Notes### Note the syntax for changed from Apache 2.2 to Apache 2.4, e.g. (not specific to the htaccess above)

On Apache 2.2 Version

<Directory /var/www/html> Options Indexes Includes FollowSymLinks MultiViews AllowOverride All Order allow,deny Allow from all </Directory>

On Apache 2.4 Version <Directory /var/www/html> Options Indexes Includes FollowSymLinks MultiViews AllowOverride All Require all granted </Directory>

Please ensure you are using the correct syntax.