Disabling uploads

Comment out line 220 in “/wp-admin/edit-form-advanced.php” and line 184 in “edit-page-form.php”.

Thanks for the reply. I just managed to get the uploads working properly.. so how do I set the maximum file size for uploads?

Sounds like you want this: https://www.ilfilosofo.com/blog/old-style-upload/

Ahh that’s great, thanks a lot Arlo!

I have a similar question.

Oh, and line 220 on edit-form-advanced is <input name="publish" type="submit" id="publish" tabindex="5" accesskey="p" value="<?php _e('Publish') ?>" /> and line 184 in edit-page-form is blank. I’m not sure these are the right lines to comment out.

Should it be

<?php
if (current_user_can('upload_files')) {
$uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
$uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&amp;post=$uploading_iframe_ID", 'inlineuploading');
$uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
if ( false != $uploading_iframe_src )
echo '<iframe id="uploading" border="0" src="' . $uploading_iframe_src . '">' . __('This feature requires iframe support.') . '</iframe>';
}
?>

(Lines 236-246 and 198-208 respectively).

I’m not a PHP coder, so if someone could take pity on me and actually explain if I need to comment out ALL the lines (as in, insert // at the start of each line) or just the first one, then if I can delete the inline-uploading PHP file from the server?

My web host has told me that it can be a break in point for hackers and I was hacked 4 times in 2 days.

Andrea

HELP! My site has been hacked again and I really need an answer to this question before I wipe my account and start afresh!

I have a plugin that removes the inline uploader, that might help you.

https://beingmrkenny.co.uk/blog/2006/01/remove-inline-uploader/

It does depend on how the hackers are getting in.

Have you filed a bug report? Security issues are usually a matter of some urgency.

https://codex.www.ads-software.com/Submitting_Bugs

I have checked out your plugin, and plan to use it (way ahead of you there, hehe), along with deleting the inline-uploading.php file altogether (after the account has been reset, as it were).

Most unfortunately, I’m not technical enough to work out if that is the real problem – I’m just trying to cover all the bases.

Did your hosts give you any more information about the attack? See if they know where the vulnerability lies, exactly.

All they said was hacks normally happen to their customers who have PHP scripts that allow file uploading. They said they could not find out how it was happening.

That was after I escalated it to management – earlier, all they said was ‘Your scripts are outdated, you need new ones.’ When I asked exactly which scripts, I was greeted with a stunning silence. That’s when I decided to escalate.

Is it possible for a hacker to insert malicious code into a database entry, and get in from there? I’m trying really hard to work out what is the cause / minimise the likelihood of it happening again.

I have run the disable inline uploading plugin and not uploaded the inline-uploading.php file. The account was wiped and I started from scratch (after restoring the database, of course). So it’s not been hacked yet. But we’ll see.

You can also use what is written here: https://blogs.securiteam.com/index.php/archives/658 which will get rid of the option in future versions as well.