Web security is a big deal, especially for website owners. Hackers often try to sneak in harmful files with tricky extensions that can bypass filters and potentially damage your site. This guide covers some common file types hackers might use, the tricks they employ, and how to protect your website from these threats with easy, understandable steps.
Why Block Certain Extensions?
File extensions are part of a file’s name, like .jpg for images or .txt for text files. But when it comes to files like .php, they can contain code, and this is where the risk comes in. Hackers often hide harmful code in files with sneaky extensions, hoping to slip past your website’s security checks. Here’s a list of common "bypass" extensions to watch out for:
.phtml,.php5,.phps,.pht,.pl,.fcgi,.shtml,.tpl,.cgi-bin, and others- These may also include modified extensions like
.php.jpg,.php%00.png, and.php<?.bmp, designed to look safe at first glance.
Steps to Block Dangerous File Extensions
Set Up Server-Side Filtering: This means configuring your web server to prevent specific file extensions from even being processed. By setting rules, you can block requests to these harmful files before they become a problem.
Limit Allowed File Types: Allow only safe file types, like
.jpg,.png, or.pdf, and block everything else. This way, even if someone tries to upload a tricky.phpfile, it’ll get denied right away.Add a Content Security Policy (CSP): A CSP lets you decide what type of content can run on your site. This means even if a bad file sneaks in, it won’t execute because it doesn’t fit the CSP rules you’ve set up.
Use a Web Application Firewall (WAF): A WAF acts like a barrier between your website and the internet, blocking harmful traffic, including requests to files with bad extensions. Many WAFs can detect and block various bypass attempts automatically.
Run Regular Security Audits: It’s smart to check in on your security settings regularly. Doing this will help you stay on top of any new risks and keep your website secure.
Update PHP and Other Extensions: Running the latest PHP version and keeping plugins updated helps close security gaps that hackers might exploit.
Install a Security Plugin: A plugin like Wordfence or MalCare can monitor for suspicious activity and block common threats without much manual effort.
Additional Bypass Techniques to Block
In addition to the common techniques mentioned above, here are some additional bypass techniques to block:
- Null-byte injection:
.php%00.jpg.php%00.png.php%00.gif.php%00.bmp
- PHP tag injection:
.php<?.jpg.php<?.png.php<?.gif.php<?.bmp
- Unicode encoding:
.php\u0000.jpg.php\u0000.png.php\u0000.gif.php\u0000.bmp
- Double extension:
.php.jpg.php.png.php.gif.php.bmp
- Trailing dot:
.php..php..jpg.php..png.php..gif.php..bmp
- Leading dot:
..php..php.jpg..php.png..php.gif..php.bmp
- Unicode characters:
.php\uFEFF.jpg.php\uFEFF.png.php\uFEFF.gif.php\uFEFF.bmp
Protect Against Sneaky Techniques
Here are some tricks hackers use to bypass security filters:
- Null Byte Injection (
%00): Adding%00(a "null byte") at the end of a filename tricks some systems into ignoring the rest of the name, e.g.,.php%00.jpg. - Double Extensions: Adding a second, safe-looking extension to a risky file, like
.jpg.php, hoping the system sees it as a harmless image file. - Encoding Tricks: Using special characters like
%2Efor.or\u0000to disguise harmful extensions. - Case Sensitivity: Sometimes
.PHPand.phpcan slip past filters that only look for lowercase.php.
Extra Tips to Keep Your Site Safe
- Validate File Names Strictly: Only allow specific, safe file extensions and block anything else.
- Sanitize Input: Remove unwanted characters from file names to prevent harmful code from sneaking in.
- Disable Script Execution in Upload Folders: Prevent any code from running in folders where users can upload files by setting strict rules in your server configuration.
- Use File Type Verification: Verify file types based on actual content, not just the extension.
Final Thoughts
Website security is ongoing; staying safe isn’t a one-time job. By combining these layers of protection—blocking suspicious extensions, using a WAF, setting up CSPs, and more—you create a strong defense. Keep an eye on new security updates and review your settings often. It’s the best way to keep your site safe from unwanted risks.