Open
Description
With the Gravity Forms vulnerability earlier this year, we were made aware once more that malware can also be uploaded to wp-content/uploads, mostly as .php or .php.bak files.
If it's easily doable, we should detect such files too and perhaps even disable PHP parsing using .htaccess, like GF nowadays does:
# Disable parsing of PHP for some server configurations. This file may be removed or modified on certain server configurations by using by the gform_upload_root_htaccess_rules filter. Please consult your system administrator before removing this file.
<Files *>
SetHandler none
SetHandler default-handler
Options -ExecCGI
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
At least we should recommend doing that.