How to protect wp-content/uploads folder in Wordpress and avoid spam

19 Aug 2014

Matteo Mattei

linux wordpress email postfix security server spam apache

Usually it is not a problem with Wordpress itself but sometimes we install lot of plugins that come from not well known origins or that are buggy and they can compromise the entire server. So, after dozens of server maintanance sessions, I am going to summarize all the best practice I found.

If you have direct control of the admin area of WP you can restrict the filesystem permissions of uploads folder to only user and group:

chmod o-w wp-content/uploads

Remember that in this way you are not able to upload files from the admin area if the web server runs with other privileges.

Check the origin of all plugins and make sure to keep your WP installation up to date. In fact attackers often use the last vulnerabilities to attack your server!
Use a different user for each domain. This is a general best practice because if an attacker haks your website, he will not be able to access to all other websites in the same server with the same credentials.
Deny the usage of scripts in uploads folder using a special .htaccess file placed in wp-content/uploads/

This third rule is very important and saved me bad headaches.

How to protect wp-content/uploads folder in Wordpress and avoid spam

Related Posts

Full web server setup with Debian 11 (Bullseye) 05 Nov 2022

List of some useful openssl commands 05 Apr 2022

Convert old NodeJs applications to ES6 modules 23 Dec 2021