Skip to content

wp_upload_blocked

Severity: Critical Signal: upload_blocked — dangerous file upload blocked by WordPress

What this signal means

Someone attempted to upload a file with a dangerous extension (e.g. .php, .exe, .sh) through the WordPress media uploader. WordPress blocked the upload before it reached the server.

What surprise this prevents

A web shell uploaded to your server — giving an attacker the ability to execute arbitrary code, read any file, and use your site as a base for further attacks.

Why it matters

PHP file uploads are the most common vector for web shell attacks. An attacker who successfully uploads a PHP file to your server gains the ability to execute arbitrary code, read any file on the server, and use your site as a base for further attacks. The fact that WordPress blocked it is good — but the attempt itself warrants investigation.

Investigate

View entity alerts in Logystera →

Check:

  • payload.filename — what file was attempted?
  • payload.ext — the blocked extension.
  • payload.mime — the declared MIME type (may be spoofed).
  • labels.actor.user_id — was this a logged-in user? If user_id is 0, it was an unauthenticated attempt — this is more serious.
  • labels.actor.ip — the source IP.
  1. Identify who attempted the upload:
  2. user_id: 0 = anonymous attempt. An unauthenticated user found an exposed upload endpoint. Investigate how they accessed the uploader.

  3. user_id > 0 = a logged-in user attempted the upload. Was it accidental (wrong file type) or intentional?

  4. For anonymous upload attempts: Check whether any form plugins expose file upload functionality without authentication. Common culprits: contact form plugins with file attachments, membership plugins with profile picture uploads.

  5. Audit your upload directory for any PHP files that may have slipped through: bash find wp-content/uploads -name "*.php" -o -name "*.phtml" -o -name "*.php7" Delete any PHP files found in the uploads directory.

  6. Add server-level protection to prevent PHP execution in the uploads directory (even if a file somehow gets uploaded, it cannot run): apache # wp-content/uploads/.htaccess <FilesMatch "\.ph(p[2-7]?|tml)$"> Deny from all </FilesMatch>

  7. Block the source IP at your firewall or Cloudflare if it is making repeated attempts.

When to safely ignore

If labels.actor.user_id > 0 and the user is a known team member who uploaded the wrong file type by accident, the alert can be acknowledged without further action.

If user_id = 0, the upload attempt was anonymous. Treat this as requiring investigation regardless of context.

Signal reference

{
  "event_type": "upload_blocked",
  "payload": {
    "filename": "shell.php",
    "ext": "php",
    "size": 2048,
    "mime": "application/x-httpd-php"
  },
  "labels": {
    "actor": { "user_id": 0, "ip": "198.51.100.7" }
  }
}