Disabling WordPress Upload

When you upgrade to WordPress 2.0, the upgrade gives the user administrator, editor and author the right to upload files. This is not a good thing, especially from the point of view of security. Uploading of files always opens up the ability to upload malicious content, whether it is an image that tries to hack you using a vulnerability, or whether the image is actually a PHP script… I can give more examples, but lets skip this.

I have read multiple entries on the Internet that explain how to remove this functionality by:

1. Removing HTML code, not a good idea, no need to explain why

2. Removing the PHP code, also not a good idea, what happens when you upgrade?

The only option that would get rid of this option once and for good (unless you upgrade again, of course) is to run a script such as this:
< ?php
require_once('admin.php');
require('../wp-config.php');
require_once(ABSPATH . '/wp-admin/admin-functions.php');
require_once(ABSPATH . '/wp-admin/upgrade-schema.php');

$role = get_role(‘administrator’);
$role->remove_cap(‘upload_files’);

$role = get_role(‘editor’);
$role->remove_cap(‘upload_files’);

$role = get_role(‘author’);
$role->remove_cap(‘upload_files’);
?>

The script will remove all the capabilities of the users from uploading files, as it changes the database settings, not only is the code made unuseable, but future versions should also not work, unless of course they will change the capability name from upload_files to something else.

The above file should be placed in the /wp-admin/ folder and executed by accessing it via a web browser, there is no feare in running it more than once, nor do I see any reason why it should break other things, but let me know if it does.

Share
  • http://www.meubelslogen.nl Tealon

    Thanks! I was just about to remove some php code to get the upload function removed. This is a much easier way to do it.