It’s a best practice to disable PHP in any folder where users might upload files. Usually, I would just place an .htaccess file in the uploads folder with a simple directive to disable execution of any PHP files:
php_flag engine Off
On this blog, I’ve been storing images on a CDN, uploaded automatically, using a WordPress Plugin. The plugin uploads all files in the uploads folder, then deletes them so that they aren’t stored locally at all, which is fine, except that it uploaded and deleted my .htaccess file. Rather than poke around in the plugin to see what it was doing, I realized I could add the directive in the vhosts file, by adding a Directory declaration:
<Directory /path/to/wp-content/uploads>
php_flag engine Off
</Directory>
I already do this for a number of php_admin_value declarations in the main body of the vhost file, but for some reason it hadn’t occurred to me to put Directory declarations here, too.
Now I know.