Is it unsafe to put php in the /wp-content/uploads directory?

Yes it is unsafe, though not for the reasons you think. DO NOT DO THIS.

If your developers can upload a PHP file to your site that gets executed, then that PHP file can undo all other security measures that you put in place. The location of the file is irrelevant. Functionally, there is no difference from editing plugins directly.

Additionally, a common security enhancement is to prevent PHP execution in the uploads folder, and assume any PHP in the uploads folder is malicious.

Either way, your proposed development process is highly unusual and problematic. I strongly advise against this. Moving the files uploaded to another folder will not improve security.

Do not let developers upload PHP to the uploads folder. It is not a good idea.

Related Posts:

  1. How do I get around “Sorry, this file type is not permitted for security reasons”?
  2. Uploading media with the REST API
  3. esc_attr() right way and use
  4. Decrease file size upload in Media
  5. Does My Child-Theme Functions.php Need if{die} Security In It? [duplicate]
  6. Adding a custom image upload size and making it selected by default?
  7. Image Upload “exceeds the maximum upload size for this site”, but php.ini is correct
  8. Failed media upload: “The uploaded file was only partially uploaded.”
  9. Create Image Uploader for Widget
  10. How do I create a WP user outside of WordPress and auto login?
  11. Debugging upload problem: What part of WP does actual image-resizing?
  12. How to resize image on client-side before upload?
  13. Specified file failed upload test. wp_upload_handle
  14. Can I write ‘RewriteCond’ using ‘functions.php’?
  15. Image upload via FTP to wordpress media library
  16. WordPress media upload “HTTP error”
  17. Restrict WordPress File Type Uploads by User Type
  18. Modify Maximum upload file size text
  19. Upload a json file in php [closed]
  20. Custom image upload
  21. is it possible to force wordpress to always save thumbnails as ‘jpg’ not ‘png’
  22. Hiding WordPress Plugin Source Code
  23. Is this code malidcous
  24. Admin username and password
  25. Convert all images to PNG on file upload
  26. Upload Image in a WordPress page using PHP
  27. Evaluations of two wordpress security plans against php code injection attack
  28. WordPress (3.9.1) MultiSite Permissions. Is chown the answer?
  29. Randomise upload filenames (or another solution to hide the original image URL from theft?)
  30. how to retrieve uploaded url of zip files
  31. WordPress custom login form using Ajax
  32. Why is $_REQUEST an empty array in admin-ajax.php?
  33. Detect session/cookie variable in wordpress to prevent access to documents
  34. SQL Injection blocked by firewall
  35. How to upload a file to a folder named after the user_id via plugin
  36. Generating an nonce for Content Security Policy and all scripts – How to make it match/persist for each page load?
  37. Upload multiple images to a Woocomerce product
  38. Cannot execute php files in wp-content
  39. What is the alternative to “ when it comes to calling Media (image) files in the ‘attachment.php’ file?
  40. Upload file could not be moved to wp-content/uploads
  41. NGINX rewrite rules for multisite
  42. Change WordPress Upload Folder using wp handle upload
  43. Security: blocking direct access of php files
  44. How do I Import / Upload Files with jQuery AJAX?
  45. WordPress automatically adds links to uploaded images
  46. WordPress function when file is uploaded, deleted or edited
  47. Correct and safe way to include php content in my page
  48. How to add API security keys into JS of wordpress securely
  49. Hardening uploads folder in IIS breaks images
  50. zip unzip attachments in wordpress
  51. Security updates to 3.3.2
  52. Upload multiple files in randomly generated folder using wp_upload_bits
  53. Decoded malware code [closed]
  54. Can’t upload CSV file to plugin directory using custom upload form in admin panel
  55. WordPress upload file size error even after raising php limits
  56. Get uploaded image and attach it to the new post
  57. Get featured image with custom size outside WordPress
  58. Why is my max_upload_filesize being limited to 2M? [duplicate]
  59. Images Uploaded saving onto older/previous year folders
  60. How do I increase the upload size only when editing special pages?
  61. Convert canvas to image and upload image to server
  62. How to get the filename from file system and create a download link?
  63. Get URL of Featured Image After wp_insert_post()
  64. Updating From Mobile App – Exposing Site to Hacking
  65. How to Make Thumbnail of Post Stay Animated
  66. Convert all uploaded PNG files to PNG-8 format
  67. How to decrease the max file upload size without using php.ini or htaccess?
  68. Some problems in custom widget
  69. Checking page before applying image restrictions while uploading
  70. Change image data durgin upload
  71. Hook on file upload
  72. How to correctly escape an echo
  73. Problem with inserting multiple images in gallery of each WooCommerce product programmatically
  74. I can’t set image ad fatured programatically
  75. echo cutom css code to WordPress page template file ? is this safe?
  76. Trying to generate a CSS file in wordpress uploads folder
  77. $.ajax results in 403 forbidden
  78. Sudden Upload HTTP errors, PHP uploads and memory limits are already to high to my taste. Anything else?
  79. Change upload URL by mime type
  80. I want url from a file in media using title file
  81. Crop an image after upload on custom account page
  82. media_handle_upload fails with gravity form submitted image
  83. Restrict File Type Uploads by User on Wordress via functions.php
  84. Retrieve $_POST data to send to javascript without using localize script
  85. wp_delete_attachment not working with multiple values
  86. What is the best practice for restricting a section to logged in users?
  87. Renaming “Expand Details” within “Add Media”
  88. Save the outputted image into the Media Library, with a different filename and extension
  89. WordPress will suddenly stop saving files uploaded by my code (ran in nopriv ajax)
  90. Name Input from widget displays Sidebar name instead of saved data
  91. Can’t upload files
  92. File Upload with Server in safe_mode
  93. Edit Image/Image Details – Replace button missing
  94. Correct Syntax for uploading files to custom directory in WordPress
  95. How to quickly/easily make an analysis (reverse engineering) of WordPress?
  96. How to automatically convert images to WebP on WordPress?
  97. How to rename files during upload to a random string?
  98. WordPress directories not writable after PHP version upgrade
  99. Upload multiple files via ajax from an HTML file input
  100. get_post_meta returns on side but it doesn’t return on bottom of admin page

Leave a Comment