问题
I have a WordPress website under Windows Server 2012 IIS 8.5, the last PHP, and the last MySQL.
My WordPress installation (4.7) is compromised, I need to reinstall it, update plugins, change themes, etc., but I have to wait for a response.
Every day I see some strange *.php files in the uploads folder. How can I deny PHP upload in this folder? I have access to the Web Server, and I can change whatever I want.
Maybe I can solve it with an .htaccess file or what?
I know that WordPress must have write access to many folders, like uploads, indeed if I deny IUSR write to uploads folders. Those files do not appear, but I can't upload anything. I just need to deny *.php upload.
回答1:
To restrict PHP files execution in your upload folder when using IIS on windows server, you just need to upload a web.config file in your "upload" folder with below mentioned content:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<clear />
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
</handlers>
</system.webServer>
</configuration>
For more detailed explanation, just check here: http://www.wptricks24.com/disable-php-files-upload-folder-wordpress-iis
This is a very nice article for same situation you are facing.
来源:https://stackoverflow.com/questions/41714059/iis-8-5-deny-php-upload