Hardening uploads folder in IIS breaks images

My site loads a bunch of images from the uploads folder, using direct URLs, such as:

http://www.example.com/wp-content/uploads/some.image.png

I'm trying to figure out a remote script execution issue, and one of the things recommended on https://wordpress.org/support/article/hardening-wordpress/ is to prevent script execution in the uploads folder, using the .htaccess file:

# Kill PHP Execution
Files ~ \.ph(?:p[345]?|t|tml)$
   deny from all
/Files

My site is running on IIS, so to acheive the same result, I removed the PHP handler for the uploads folder and all it's subfolders:

?xml version=1.0 encoding=UTF-8?
configuration
 system.webServer
        handlers
           remove  name=php-7.1.7 /
        /handlers
    /system.webServer
/configuration

However, if I use the web.config file, loading an image using a direct URL leads to a http 500 error. Consequently, themes don't load properly.

How would I go about preventing PHP script execution in the uploads folder, without breaking static file loading?

Adding add name=StaticFile / below remove name=php-7.1.7 / makes no difference.

Topic scripts iis php security Wordpress

Category Web

1
answered at

I don't know if that is the right way but the last time I worked with IIS, I used this code to prevent the loading of an PHP script in the uploads folder.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <location path="wp-content/uploads">
    <system.webServer>
        <security>
            <requestFiltering>
                <fileExtensions>
                    <add fileExtension=".php" allowed="false" />
                </fileExtensions>
            </requestFiltering>
      </security>
    </system.webServer>
 </location>

</configuration>

If you try to execute a PHP script in uploads folder or in the subfolders it will result in an 404 Error.

I hope it helps you further.

Usefull Links to that subject:

Translate .htaccess Content to IIS web.config - docs.microsoft.com

My WordPress web.config - saotn.org

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.