Have no idea were that code snippet comes from but security for uploaded files should be addressed in three steps
Upload permission should be restricted only to people you trust (assuming you are the admin/owner), and security is just part of the reason (think someone uploading porn to a church site)
You should not let the php interpreter execute anything in the uploads directory. This will prevent people uploading and then executing rouge php scripts on your server.
Any file which is not of an approved extension serve as a simple octet stream. Configured properly this will prevent people uploading JS and using them for cookie theft. A twist on it is to serve uploaded files from a different domain.
How to implement steps 2 and 3 depends on type of web sever you use.
Related Posts:
- simple solution for restricting access to (some) uploads/downloads
- Protecting direct access to PDF and ZIP unless user logged in (without plugin)
- What permissions does wp-content/uploads need?
- can not upload file .vtt on wordpress 5.0.1
- What are the security reasons to disallow Microsoft Word uploads?
- Password protect some uploaded files, so only logged-in users can view them
- How to protect uploads in multisite if user is not logged in?
- File Upload Permissions
- Extend the list of MIME-types supported by the builtin uploader in 3.3
- How to safely allow user upload on CPTs?
- making media URL secured
- Is it safe to allow non-admin users access to media uploader
- Is it safe to upload JSON files to upload folder?
- Setting up a HIPAA secured form / file upload
- Where to store sensitive uploaded file?
- What is the best way to upload a temporary & sensitive file and then delete it when done
- Basic File/Post restriction plugin
- Auto shortlink for file uploads
- How to parse an image that was just uploaded to make sure it doesn’t contain malicious code?
- How does WP media uploader create the 3 different sized images, and how can I duplicate it
- Create image formats with different qualities when uploading
- Which filters or actions to use after a media upload and delete?
- wp_delete_attachment doesn’t delete images in wp-content/uploads/
- Force WordPress 3.3 to use Flash uploader
- How can I speed up a slow loading media library?
- What to do with unattached logos and header uploaded via native wordpress uploader?
- upload_mimes filter has no effect
- How can you limit the number of images / videos that can be uploaded to a WordPress post
- Failure upgrading / updating site to WordPress 4.7
- Moving Media Library
- Add item to media library from blob or dataUrl
- How do I enable the customize theme page to accept svg’s?
- Frontend Simple Local Avatar upload
- WP3.5 Media Uploader – how to make it accept multiple images?
- How to define a remote uploads directory?
- Looks like image resize is not working well
- resize images not crop
- Trying to add filename over image in Media Browser
- How Can I pass an image file to wp_handle_upload?
- Setting wp_temp_dir and permissions not working for “Missing A Temporary Folder” error
- Allowed memory size exhausted. WordPress side solution
- frontend upload return async-ajax.php 302
- Prevent File Uploads other than images
- How can I upload a file with no extension
- how to change max file upload size WordPress 4.9.8 [closed]
- Media handle sideload not working
- How to overwrite wp_unique_filename logic
- How to change upload directory based on frontend form input name or ID?
- capability for upload on front-end (An error occurred in the upload. Please try again later )
- How to solve: An error occured in the upload
- What function can I use to override the multisite maximum file size upload restriction?
- Flatten media files in uploads directory via linux terminal eliminating thumbnails?
- List and show uploaded pdf files dynamically
- WordPress Fancybox Resize Large Image
- WordPress suddenly starts uploading media to an old (backdated) folder
- Delete files uploaded using the wp_upload_bits() function
- XML-RPC: How to add media caption to uploaded image?
- Interface for logged-in users to upload/download files
- wp_handle_upload() does not list uploaded file in the media library?
- wordpress media upload given An error occurred in the upload. Please try again later
- WordPress won’t write in a CIFS drive from himself
- WordPress Media Library – Upload space used
- Local WordPress install plugin wont upload image
- What relationship determines which images appear in ‘uploaded to post’ in edit/add post media dialog
- User permissions to upload images
- Why is WordPress’ file upload limit so low? Is changing it harmful?
- How to get the uploaded image url in media_handle_upload()?
- How to change format of file link ( Name ) when insert from media uploder
- Using dashboard uploader instead of FTP
- Use wp_handle_upload outside of a POST
- admin notice on Insert Media popup screen
- How to allow .bin files upload?
- Add SWF file to wordpress through custom template
- Uploading flash flipbook to mu wordpress site
- Uploaded images result in a file url with full path on disk appended
- Migrating WordPress Uploads To S3 Object Storage
- Upload Video using wordpress rest api with ionic
- download images from wp-content/uploads/year/month/DSC_123.jpg
- SVG not displaying in Media Tab in Backend
- Remove files unrelated to WordPress from uploads
- Images not displaying on site or media library
- Picture upload issue – broken thumbnail
- Hide obj path in source code
- Media not displaying other users uploads – WordPress 4.9.2
- Unable to upload anything to WordPress site
- Creating an Uploads folder with post ID
- I migrated WPMU site: Unable to create directory uploads/… Desperate for help!
- “Could not write file” error in wp_upload_bits function
- Add media button does not insert image in the editor
- How to find out if all enqueued files are uploaded?
- Files larger than 500 kilobytes are not allowed
- How to split my uploaded media into directories?
- All files unattached in Media Library
- WordPress media upload multiple images
- Media Upload Directory to MMYY instead of YYYY/MM
- Is there a way to force Featured image to show as attachement?
- Auto-Import of WXR File
- how upload images and videos to specific folder like wp-content\uploads\folder-name
- Media upload takes too long
- Problems with defining UPLOADS constant