Is it unsafe to put php in the /wp-content/uploads directory?

Yes it is unsafe, though not for the reasons you think. DO NOT DO THIS.

If your developers can upload a PHP file to your site that gets executed, then that PHP file can undo all other security measures that you put in place. The location of the file is irrelevant. Functionally, there is no difference from editing plugins directly.

Additionally, a common security enhancement is to prevent PHP execution in the uploads folder, and assume any PHP in the uploads folder is malicious.

Either way, your proposed development process is highly unusual and problematic. I strongly advise against this. Moving the files uploaded to another folder will not improve security.

Do not let developers upload PHP to the uploads folder. It is not a good idea.

Related Posts:

  1. How do I get around “Sorry, this file type is not permitted for security reasons”?
  2. How to change upload directory in wp_handle_upload
  3. Uploading media with the REST API
  4. esc_attr() right way and use
  5. Enforcing password complexity
  6. Decrease file size upload in Media
  7. Does My Child-Theme Functions.php Need if{die} Security In It? [duplicate]
  8. Adding a custom image upload size and making it selected by default?
  9. Change the filename format of saved featured images
  10. Image Upload “exceeds the maximum upload size for this site”, but php.ini is correct
  11. How to register images uploaded via FTP in media library?
  12. How Attackers write script into my php files?
  13. Failed media upload: “The uploaded file was only partially uploaded.”
  14. Create Image Uploader for Widget
  15. Using file_exists to check file in Uploads
  16. Rename image uploads replacing “width” and “height” in filename with “medium”, “large”, “small”
  17. Rename image uploads with width in filename
  18. Renaming wp-content folder dynamically
  19. Modify image while uploading
  20. How do I create a WP user outside of WordPress and auto login?
  21. Debugging upload problem: What part of WP does actual image-resizing?
  22. Security – Ajax and Nonce use [closed]
  23. How to resize image on client-side before upload?
  24. Specified file failed upload test. wp_upload_handle
  25. How to upload imagick resource to media in wordpress
  26. Can I write ‘RewriteCond’ using ‘functions.php’?
  27. Accessing a random image via ajax
  28. Make WordPress upload directory outside wordpress root with custom url
  29. Upload images and attachments from frontend form
  30. Image upload via FTP to wordpress media library
  31. WordPress media upload “HTTP error”
  32. Adding featured image via PHP
  33. How to enlarge the media file upload size in wordpress admin
  34. Restrict WordPress File Type Uploads by User Type
  35. Sanitize get_query_var() url parameters
  36. File upload, uploads only file name
  37. Modify Maximum upload file size text
  38. Attach previously uploaded image to post – current code has unexpected results
  39. Change WordPress Upload Folder using wp handle upload
  40. Security: blocking direct access of php files
  41. How do I Import / Upload Files with jQuery AJAX?
  42. WordPress automatically adds links to uploaded images
  43. WordPress function when file is uploaded, deleted or edited
  44. Correct and safe way to include php content in my page
  45. Can I get an email notification when media is uploaded to the media library?
  46. Password minimum length in personal subscription [closed]
  47. How to add API security keys into JS of wordpress securely
  48. Is it best to avoid using $wpdb for security issues?
  49. Hardening uploads folder in IIS breaks images
  50. Blob file download problem
  51. zip unzip attachments in wordpress
  52. Troll the hackers by redirecting them
  53. Security updates to 3.3.2
  54. how to prevent wordpress admin from logging in via woocommerce my-account page
  55. Upload multiple files in randomly generated folder using wp_upload_bits
  56. malware undetectable by multiple scans
  57. Decoded malware code [closed]
  58. Can’t upload CSV file to plugin directory using custom upload form in admin panel
  59. WordPress upload file size error even after raising php limits
  60. Get uploaded image and attach it to the new post
  61. Get featured image with custom size outside WordPress
  62. Why is my max_upload_filesize being limited to 2M? [duplicate]
  63. Images Uploaded saving onto older/previous year folders
  64. How do I increase the upload size only when editing special pages?
  65. Convert canvas to image and upload image to server
  66. How to get the filename from file system and create a download link?
  67. Get URL of Featured Image After wp_insert_post()
  68. Custom upload folder
  69. WordPress İmages Upload & Delete Error
  70. Allow user to Upload image and manipulate it on the frontend
  71. custom plugin with upload files does not work
  72. Updating From Mobile App – Exposing Site to Hacking
  73. How to Make Thumbnail of Post Stay Animated
  74. Front end file upload returning wrong attachment url
  75. Convert all uploaded PNG files to PNG-8 format
  76. How to decrease the max file upload size without using php.ini or htaccess?
  77. security concerns if using html data-* attribute for l10n?
  78. Some problems in custom widget
  79. Checking page before applying image restrictions while uploading
  80. Change image data durgin upload
  81. Hook on file upload
  82. How to correctly escape an echo
  83. Reject all malicious URL requests functions.php
  84. Problem with inserting multiple images in gallery of each WooCommerce product programmatically
  85. I can’t set image ad fatured programatically
  86. portfolio site – about this site section – is it safe to post some code
  87. How can I update WordPress plugins or WordPress itself in all server?
  88. async upload not working when not logged
  89. echo cutom css code to WordPress page template file ? is this safe?
  90. WordPress loading all local images from specific directory?
  91. Trying to generate a CSS file in wordpress uploads folder
  92. How to secure my php forms
  93. $.ajax results in 403 forbidden
  94. Maximum file Upload
  95. Site infected by link
  96. Sudden Upload HTTP errors, PHP uploads and memory limits are already to high to my taste. Anything else?
  97. Change upload URL by mime type
  98. Access WP files on “server 1”, from “server 2” – using wp-load on an external website
  99. Deny php execution in /wp-includes – using .htaccess in /wp-includes VS root folder
  100. Right path for renaming a file in uploads folder

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)