Skip to content

111 Recipes

Apache 2.4 Security WordPress

How to disable manual uploading of WordPress themes and plugins in Apache 2.4

Published ·UPD ·In Recipes

Disabling manual uploading of themes and plugins can be used as an extra layer of security in WordPress. The implementation in Apache 2.4 is simple:

<LocationMatch "^/wp-admin/update.php">
  <If "%{QUERY_STRING} =~ /.*action=upload-(plugin|theme).*/">
    Require all denied
  </If>
</LocationMatch>

Exceptions for trusted IP addresses can be made by adding extra requirements to the block:

<LocationMatch "^/wp-admin/update.php">
  <If "%{QUERY_STRING} =~ /.*action=upload-(plugin|theme).*/">
    Require all denied
    Require ip 192.0.2.1
    Require ip 192.0.2.2
  </If>
</LocationMatch>

Documentation: Apache HTTP Server version 2.4 – Documentation – Access Control

Changelog

  • 2020-10-23. Added link to the official documentation for the Require directive.