disable file uploads

Steve Holdoway steve at greengecko.co.nz
Mon Mar 23 23:47:38 UTC 2015

On Mon, 2015-03-23 at 22:52 +0000, Francis Daly wrote:
> On Tue, Mar 24, 2015 at 09:13:50AM +1300, Steve Holdoway wrote:
> Hi there,
> > Is there any way to stop / disable random file uploads... for example,
> > I'm having 'fun' with mail relays being uploaded to the cache area of a
> > wordpress site?
> What the difference between a request that is a file upload and a request
> that is not a file upload, on your system?
> Are there some specific urls you want to block? Do you want to block
> all POST requests?
> > Can't think of anything off the top of my head that would do it.
> Would it be simpler for you to configure your wordpress to disallow
> file uploads?
> 	f

I would like to block at web server level if possible, seems the most
sensible to me. This is what I currently use for wordpress ( after this
morning lol )

        # set the static ones first, then the catchall
        # Directives to send expires headers and turn off 404 error
        location ~* ^/(?:uploads|files|cache|plugins)/.*\.(png|gif|jpg|
xls|myo|qbb|pst|dat|qbx|bc7|cf7)$ {
                expires 24h;
                log_not_found off;

        location ~* ^/wp-content/(files|uploads|cache|plugins)/.*.(|php|
js|swf)$ {
                types { }
                default_type text/plain;

I think I should be able to simplify it by having the block before a
straight catchall with no extensions listed, which would help ( although
a zero expiry on .html would probably be beneficial ).



Steve Holdoway BSc(Hons) MIITP
Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa

More information about the nginx mailing list