Using APACHE config file, always Make sure that your files directory is safe & nothing executable inside this. You can globally disable PHP execution from files directory with the help of few lines of code. You can see how we can disable all sites sitting at /var/www/ location and following the sites/*/files pattern for files directory. Drupal files directory normally follow specific pattern which can be used inside config file.
<Directory /var/www/*/sites/*/files/>
# Important for security, prevents someone from
# uploading a malicious .htaccess
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
<Files *>
AllowOverride None
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo
</Files>
</Directory>
Using this example it will stop execution for following files sitting inside Drupal files directory:-
- /var/www/example.com/sites/example.com/files/dammmfile.php
- /var/www/example2.com/sites/defaultfiles/iambadfile.php
Enjoy !