Welcome to the forum:
Welcome to the iThemes, PluginBuddy and WebDesign.com forum. We've created several tutorial video's to help you get you started with using the forum, please check them out!
Also take note of the forum guidelines.
Our moderators actively respond to forum support requests during normal business hours which are Monday-Friday, 8am - 5pm Central Standard Time, typically within one business day. Although some moderators choose to work during the weekends, we can not guarantee immediate attention to your requests. Thanks for understanding.
What is included with support:
Premium support includes theme/plugin issues such as: bugs encountered under normal operation, how to use basic features, basic WordPress help, and basic help with customization (meaning we point you to resources and will help in more depth as time allows). More information.
Support during Holidays:
During the Holidays (Dec. 22 - Jan. 2) our support staff will spend well-deserved time with their families and loved ones.
We can not guarantee the same level of support that you are used to.
Moderators will check in on the support forum, but response times may be longer than expected.
Your iThemes support team wishes you happy holidays!
Posted 10 August 2014 - 09:45 AM
another thing came to my mind regarding the PHP execution, which I think will improve the disabling of PHP execution in the uploads folder a lot:
What if an attacker is aware of the fact that PHP execution is disabled in the uploads folder? Many apache processes have by default no write permissions to write anywhere else but the uploads folder, BUT:
There is one more folder to which the apache process may write: the upgrades folder,because if updating your WordPress/Plugins with the built in FTP upgrade, wordpress will make this folder writable for all (777). So if I, as an attacker, see that I cant execute anything in the uploads folder, I change the wordpress settings to that files get uploaded to the upgrade folder and make this feature a little bit useless.
I suggest extending the disabling of PHP execution to the complete wp-content folder.
Posted 11 August 2014 - 01:05 PM
Excellent point here. I've added it to the feature requests and will be reviewing it soon.
iThemes Security Developer