Hardening uploads folder in IIS breaks images

I don’t know if that is the right way but the last time I worked with IIS, I used this code to prevent the loading of an PHP script in the uploads folder.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <location path="wp-content/uploads">
    <system.webServer>
        <security>
            <requestFiltering>
                <fileExtensions>
                    <add fileExtension=".php" allowed="false" />
                </fileExtensions>
            </requestFiltering>
      </security>
    </system.webServer>
 </location>

</configuration>

If you try to execute a PHP script in uploads folder or in the subfolders it will result in an 404 Error.

I hope it helps you further.

Usefull Links to that subject:

Translate .htaccess Content to IIS web.config – docs.microsoft.com

My WordPress web.config – saotn.org

Related Posts:

  1. esc_attr() right way and use
  2. Enforcing password complexity
  3. Is it safe to use $_SERVER[‘REQUEST_URI’]?
  4. Does My Child-Theme Functions.php Need if{die} Security In It? [duplicate]
  5. How Attackers write script into my php files?
  6. Renaming wp-content folder dynamically
  7. How do I create a WP user outside of WordPress and auto login?
  8. Installing wp3.2.1 on IIS; getting empty sessions
  9. Trigger a php file on every post or page if a condition is met
  10. Security – Ajax and Nonce use [closed]
  11. Can I write ‘RewriteCond’ using ‘functions.php’?
  12. Is it unsafe to put php in the /wp-content/uploads directory?
  13. Best way to create a user programatically
  14. Sanitize get_query_var() url parameters
  15. Javascript code inside “” in core WordPress files .php
  16. When must I use and verify nonce?
  17. wordpress upgrade has broken my permalinks
  18. Hiding WordPress Plugin Source Code
  19. Is this code malidcous
  20. Loading jQuery in the footer after removing jQuery migrate?
  21. Writing scripts using WordPress / WooCommerce classes?
  22. Admin username and password
  23. Evaluations of two wordpress security plans against php code injection attack
  24. Insert a button on a page with random number generation
  25. WordPress custom login form using Ajax
  26. Where Does WordPress Make cURL Requests? How To Add cURL Option
  27. Detect session/cookie variable in wordpress to prevent access to documents
  28. Is there any risk setting WordPress file permissions and FS method to ‘direct’ on localhost?
  29. SQL Injection blocked by firewall
  30. How to prevent XSS alter custom global javascript object & methods in WordPress
  31. Repeating admin-ajax.php not found error in admin
  32. Generating an nonce for Content Security Policy and all scripts – How to make it match/persist for each page load?
  33. Cannot execute php files in wp-content
  34. How do I get around “Sorry, this file type is not permitted for security reasons”?
  35. Configure Php server with ISAP
  36. php syntax : [ && ] between commands [closed]
  37. Security: blocking direct access of php files
  38. Correct and safe way to include php content in my page
  39. Custom PHP script throws critical error ONLY when editing page
  40. Password minimum length in personal subscription [closed]
  41. Need to put a script above tag in header.php – WP 5.7.1
  42. How to add API security keys into JS of wordpress securely
  43. Is it best to avoid using $wpdb for security issues?
  44. Troll the hackers by redirecting them
  45. Security updates to 3.3.2
  46. how to prevent wordpress admin from logging in via woocommerce my-account page
  47. malware undetectable by multiple scans
  48. Decoded malware code [closed]
  49. How can I get my Media Uploader Button to function on 1 click rather than requiring 2 clicks?
  50. Updating From Mobile App – Exposing Site to Hacking
  51. security concerns if using html data-* attribute for l10n?
  52. How to correctly escape an echo
  53. Reject all malicious URL requests functions.php
  54. portfolio site – about this site section – is it safe to post some code
  55. echo cutom css code to WordPress page template file ? is this safe?
  56. How to secure my php forms
  57. $.ajax results in 403 forbidden
  58. How to add a PHP scripts into WordPress
  59. Suddenly got alert when trying to login to admin panel of wordpress
  60. Site infected by link
  61. How do I add this OnClick event script to a custom button I’ve created?
  62. Unable to update plug-ins – Undefined index a:1:{s:3:”ssl”;b:1;} in class-requests.php on line 213
  63. Access WP files on “server 1”, from “server 2” – using wp-load on an external website
  64. Deny php execution in /wp-includes – using .htaccess in /wp-includes VS root folder
  65. Add Custom Taxonomy into Script
  66. how to call other plugins once custom post has been inserted
  67. style.min.css code issue
  68. Retrieve $_POST data to send to javascript without using localize script
  69. Previewing/Updating some Pages causes “The requested URL was rejected” Error
  70. What is the best practice for restricting a section to logged in users?
  71. Editing existing pre-created menus in PHP
  72. Manipulate database of WordPress site with my own scripts
  73. Auto create description in post
  74. How to quickly/easily make an analysis (reverse engineering) of WordPress?
  75. kali php problem [closed]
  76. what to do after instlling cyberpanel on VPS
  77. Running a long script in PHP
  78. Notify users only on post publish
  79. Warning message (re. php) on the blog page
  80. Started getting warning message following host’s PHP upgrade
  81. Site throws 500 error after upgrading from PHP 5.6 to 7.X
  82. How to set up a If is_singular statement?
  83. Where does “rel=0” get removed from my YouTube parameters?
  84. List taxonomy term slugs within shortcode (do_shortcode)
  85. Add content after the first post in WP Loop
  86. Custom array from a query only write the last row of the query
  87. Find a way to retrive data updated through metabox plugin to web page
  88. wp_query get the 2nd post
  89. How to parse multiple links from one variable?
  90. What is the latest WordPress that will work on PHP 5.2.17?
  91. get taxonomy thumbnail and use it as a variable in code
  92. What are the advantages/disadvantages of using jQuery DOM manipulation as opposed to PHP DOM manipulation?
  93. update_post_meta on multi-dimensional array options
  94. How to hook code to show after the_content?
  95. Why doesn’t add_filter have the option to include a callback for each run?
  96. Issue with php version 7.2 in running search
  97. Sending a custom form data in email through WP Mail Function
  98. Woocommerce Email attachments not working – file not being attached
  99. Counting Search results, and displaying the offset per page
  100. Run a code only on theme activation only during first activation
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)