Welcome to the forum:
Welcome to the iThemes, PluginBuddy and WebDesign.com forum. We've created several tutorial video's to help you get you started with using the forum, please check them out!
Also take note of the forum guidelines.
Our moderators actively respond to forum support requests during normal business hours which are Monday-Friday, 8am - 5pm Central Standard Time, typically within one business day. Although some moderators choose to work during the weekends, we can not guarantee immediate attention to your requests. Thanks for understanding.
What is included with support:
Premium support includes theme/plugin issues such as: bugs encountered under normal operation, how to use basic features, basic WordPress help, and basic help with customization (meaning we point you to resources and will help in more depth as time allows). More information.
Posted 10 August 2014 - 09:45 AM
another thing came to my mind regarding the PHP execution, which I think will improve the disabling of PHP execution in the uploads folder a lot:
What if an attacker is aware of the fact that PHP execution is disabled in the uploads folder? Many apache processes have by default no write permissions to write anywhere else but the uploads folder, BUT:
There is one more folder to which the apache process may write: the upgrades folder,because if updating your WordPress/Plugins with the built in FTP upgrade, wordpress will make this folder writable for all (777). So if I, as an attacker, see that I cant execute anything in the uploads folder, I change the wordpress settings to that files get uploaded to the upgrade folder and make this feature a little bit useless.
I suggest extending the disabling of PHP execution to the complete wp-content folder.
Posted 11 August 2014 - 01:05 PM
Excellent point here. I've added it to the feature requests and will be reviewing it soon.
iThemes Security Developer