Home / server / Questions / 286503
In Process
Andre Carlucci
Asked: 2011-07-03 21:03:47 +0800 CST

How can I disable php scripts on a specific subdir of my website on IIS7?

  • 772

How can I disable php scripts on a specific subdir of my website using IIS7?

I have a wordpress blog and I want to disable php on the "uploads" dir.

windows-server-2008 iis-7 wordpress

2 Answers

  1. You have quite a few options here. All code examples (one for each approach) need to be placed in web.config file in your "uploads" folder (in case if you do not know this).

    1) Remove handler that is responsible for processing *.php files (in IIS Manager it is "Handler Mappings"):

    <?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <handlers>
            <remove name="PHP 5" />
        </handlers>
    </system.webServer>
</configuration>

    Cons:

    • You need to know the handler name
    • Handler name can be changed in a future (admin may change to handle PHP in a different way etc)

    2) Using Request Filtering module disable all requests to files with .php extension -- server will send 404.7 error to the client. This module is bundled with IIS 7.5, but for IIS 7.0 you may need to download and install Administration Pack.

    <?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering>
                <fileExtensions>
                    <add fileExtension=".php" allowed="false" />
                </fileExtensions>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

    If you have more than one extension for PHP you will need to list them as well (e.g. .phtml, .php5 etc).

    3) Using URL Rewrite module create a rule to Abort such request.

    <?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Abort PHP" stopProcessing="true">
                    <match url="^.*\.php$" />
                    <action type="AbortRequest" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>
    • IIS 7.0 has no URL Rewrite module bundled while IIS 7.5 has v1.1. Unfortunately I have no v1.1 of this extension installed -- only v2 and cannot check/guarantee that this will work in v1.1. In any case -- I recommend to download and install version 2 of URL Rewrite module.
    • You will need to extend this rule to also catch other file extensions that may be processed by PHP on your setup (e.g. .phtml, .php5 etc).

    4) Using URL Rewrite module create a rule to respond with custom error instead of processing such request.

    <?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Disable PHP" stopProcessing="true">
                    <match url="^.*\.php$" />
                    <action type="CustomResponse" statusCode="404" statusReason="No PHP here" statusDescription="Sorry mate" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

    5) Using URL Rewrite module create a rule to redirect to your own error page for all of such requests.

    <?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Show Our Error Page for PPHP files" stopProcessing="true">
                    <match url="^.*\.php$" />
                    <action type="Rewrite" url="/404.php" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

    The above rule will internally redirect (rewrite) such requests to a 404.php file in the website root folder (e.g. http://www.example.com/404.php)

    Use #2 if possible -- it will be executed before URL Rewrite step which will be beneficial on very busy server.

    • 3

  2. I know this thread is a little old, but I personally subscribe to the "Write + Execute = BAD" school of thought, and therefore a upload folder should never execute. With this in mind, any handler beyond the static file handler could be considered a security risk.

    To remove all but the static file handler (regardless of what the other handlers are called) (all the benefits of #1 in the above, but without the Cons):

    <configuration>
<system.webServer>
    <handlers>
       <clear />
        <add 
            name="StaticFile" 
            path="*" verb="*" 
            modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" 
            resourceType="Either" 
            requireAccess="Read" />
    </handlers>
    <staticContent>
         <mimeMap fileExtension=".*" mimeType="application/octet-stream" />
      </staticContent>
   </system.webServer>
</configuration>
    • 1