Hardening uploads folder in IIS breaks images

I don’t know if that is the right way but the last time I worked with IIS, I used this code to prevent the loading of an PHP script in the uploads folder.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <location path="wp-content/uploads">
    <system.webServer>
        <security>
            <requestFiltering>
                <fileExtensions>
                    <add fileExtension=".php" allowed="false" />
                </fileExtensions>
            </requestFiltering>
      </security>
    </system.webServer>
 </location>

</configuration>

If you try to execute a PHP script in uploads folder or in the subfolders it will result in an 404 Error.

I hope it helps you further.

Usefull Links to that subject:

Translate .htaccess Content to IIS web.config – docs.microsoft.com

My WordPress web.config – saotn.org

Related Posts:

  1. esc_attr() right way and use
  2. Enforcing password complexity
  3. Is it safe to use $_SERVER[‘REQUEST_URI’]?
  4. Does My Child-Theme Functions.php Need if{die} Security In It? [duplicate]
  5. How Attackers write script into my php files?
  6. Renaming wp-content folder dynamically
  7. How do I create a WP user outside of WordPress and auto login?
  8. Installing wp3.2.1 on IIS; getting empty sessions
  9. Trigger a php file on every post or page if a condition is met
  10. Security – Ajax and Nonce use [closed]
  11. Can I write ‘RewriteCond’ using ‘functions.php’?
  12. Is it unsafe to put php in the /wp-content/uploads directory?
  13. Best way to create a user programatically
  14. Sanitize get_query_var() url parameters
  15. Javascript code inside “” in core WordPress files .php
  16. When must I use and verify nonce?
  17. wordpress upgrade has broken my permalinks
  18. Hiding WordPress Plugin Source Code
  19. Is this code malidcous
  20. Loading jQuery in the footer after removing jQuery migrate?
  21. Writing scripts using WordPress / WooCommerce classes?
  22. Admin username and password
  23. Evaluations of two wordpress security plans against php code injection attack
  24. Insert a button on a page with random number generation
  25. WordPress custom login form using Ajax
  26. Where Does WordPress Make cURL Requests? How To Add cURL Option
  27. Detect session/cookie variable in wordpress to prevent access to documents
  28. Is there any risk setting WordPress file permissions and FS method to ‘direct’ on localhost?
  29. SQL Injection blocked by firewall
  30. How to prevent XSS alter custom global javascript object & methods in WordPress
  31. Repeating admin-ajax.php not found error in admin
  32. Generating an nonce for Content Security Policy and all scripts – How to make it match/persist for each page load?
  33. Cannot execute php files in wp-content
  34. How do I get around “Sorry, this file type is not permitted for security reasons”?
  35. Configure Php server with ISAP
  36. php syntax : [ && ] between commands [closed]
  37. Security: blocking direct access of php files
  38. Correct and safe way to include php content in my page
  39. Custom PHP script throws critical error ONLY when editing page
  40. Password minimum length in personal subscription [closed]
  41. Need to put a script above tag in header.php – WP 5.7.1
  42. How to add API security keys into JS of wordpress securely
  43. Is it best to avoid using $wpdb for security issues?
  44. Troll the hackers by redirecting them
  45. Security updates to 3.3.2
  46. how to prevent wordpress admin from logging in via woocommerce my-account page
  47. malware undetectable by multiple scans
  48. Decoded malware code [closed]
  49. How can I get my Media Uploader Button to function on 1 click rather than requiring 2 clicks?
  50. Updating From Mobile App – Exposing Site to Hacking
  51. security concerns if using html data-* attribute for l10n?
  52. How to correctly escape an echo
  53. Reject all malicious URL requests functions.php
  54. portfolio site – about this site section – is it safe to post some code
  55. echo cutom css code to WordPress page template file ? is this safe?
  56. How to secure my php forms
  57. $.ajax results in 403 forbidden
  58. How to add a PHP scripts into WordPress
  59. Suddenly got alert when trying to login to admin panel of wordpress
  60. Site infected by link
  61. How do I add this OnClick event script to a custom button I’ve created?
  62. Unable to update plug-ins – Undefined index a:1:{s:3:”ssl”;b:1;} in class-requests.php on line 213
  63. Access WP files on “server 1”, from “server 2” – using wp-load on an external website
  64. Deny php execution in /wp-includes – using .htaccess in /wp-includes VS root folder
  65. Add Custom Taxonomy into Script
  66. how to call other plugins once custom post has been inserted
  67. style.min.css code issue
  68. Retrieve $_POST data to send to javascript without using localize script
  69. Previewing/Updating some Pages causes “The requested URL was rejected” Error
  70. What is the best practice for restricting a section to logged in users?
  71. Editing existing pre-created menus in PHP
  72. Manipulate database of WordPress site with my own scripts
  73. Auto create description in post
  74. How to quickly/easily make an analysis (reverse engineering) of WordPress?
  75. kali php problem [closed]
  76. what to do after instlling cyberpanel on VPS
  77. Running a long script in PHP
  78. append PHP function to the_content
  79. How to track a users progress through pages by inserting data into WordPress Database?
  80. Block PHP Files Nginx
  81. WordPress File handle – fopen, fwrite not working with $.ajax or $.post Jquery
  82. How does the ternary operator work in the wordpress loop post?
  83. Advanced Meta Query for Large Calendar Website (12k+ posts) (175k+ wp_postmeta rows)
  84. How to store post ID’s in cookie or session to display the same posts later
  85. Whats the proper way to use a php stylesheet in a wordpress theme? [duplicate]
  86. Change product_base programmatically
  87. Adding “redirect” to a button
  88. Execute Jquery when a specific page in my plugin is loading
  89. Validating an email input from form field before submit using JQuery, AJAX, and PHP
  90. Display metabox galleries on specific page template in admin editor
  91. Inside Array – “unidentified index” error with “prepare was called incorrectly” despite not calling the prepared statement with wordpress [closed]
  92. dashboard widget form not submit mails
  93. If is_page elseif is_page not working like I want it to
  94. Updating meta_value in a custom key
  95. Where to find the html for WordPress site? [closed]
  96. Custom post type single page return to listing page
  97. Using Nonce for my Form
  98. Transient Loop Not working as expected
  99. Open all external links in new window – need help with the code
  100. HTML in PHP problem [closed]