You are viewing this site in a simplified layout because your browser does not yet support CSS Subgrid.

op111.net

Search op111.net

How to disable manual uploading of WordPress themes and plugins in Apache 2.4

· Updated

Disabling manual uploading of themes and plugins can be used as an extra layer of security in WordPress. The implementation in Apache 2.4 is simple:

<LocationMatch "^/wp-admin/update.php">
  <If "%{QUERY_STRING} =~ /.*action=upload-(plugin|theme).*/">
    Require all denied
  </If>
</LocationMatch>

Exceptions for trusted IP addresses can be made by adding extra requirements to the block:

<LocationMatch "^/wp-admin/update.php">
  <If "%{QUERY_STRING} =~ /.*action=upload-(plugin|theme).*/">
    Require all denied
    Require ip 192.0.2.1
    Require ip 192.0.2.2
  </If>
</LocationMatch>

Documentation: Apache HTTP Server version 2.4 – Documentation – Access Control

Changelog

  • 2020-10-23
    • Added link to the official documentation for the Require directive.