important - Magento2 security tips

[work]

The term "Magento 2 upload hack" typically refers to a critical class of security vulnerabilities where attackers exploit file upload features to gain unauthorized access.
As of April 2026, the most urgent threat is a vulnerability called PolyShell, which allows unauthenticated attackers to upload executable files to almost any Magento or Adobe Commerce store.
Current Major Threat: PolyShell (APSB25-94)
Discovered by Sansec, this vulnerability is currently being exploited in the wild.
How it Works: Attackers use the REST API to upload a "polyglot" file—a file that looks like a valid image to the server but contains hidden PHP code.
The Vector: The attack targets the Cart Item Custom Options feature. When a product allows a "file" upload option, the API accepts base64-encoded data and saves it to pub/media/custom_options/ or customer_address folder.
so you best need to do follow here to protect your magento2 website
1. config open_basedir to pub folder not default
2.config limit php file to run and wait magento2.4.9
nginx

location /pub/media/ {
    location ~ \.php$ {
        deny all;
    }
    if ($request_filename ~* \.(php|phtml|php5)$ ) {
        return 403;
    }
}

Apache
put media folder with

<FilesMatch "\.(php|php5|phtml)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>