Is it unsafe to put php in the /wp-content/uploads directory?

Yes it is unsafe, though not for the reasons you think. DO NOT DO THIS.

If your developers can upload a PHP file to your site that gets executed, then that PHP file can undo all other security measures that you put in place. The location of the file is irrelevant. Functionally, there is no difference from editing plugins directly.

Additionally, a common security enhancement is to prevent PHP execution in the uploads folder, and assume any PHP in the uploads folder is malicious.

Either way, your proposed development process is highly unusual and problematic. I strongly advise against this. Moving the files uploaded to another folder will not improve security.

Do not let developers upload PHP to the uploads folder. It is not a good idea.

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)