First, actual file locations are never revealed. Technically files can be downloaded via the direct URl, but the direct URL is never revealed through the plugin.
If you want to make your files 1005 secure so that they are literally impossible to access (without root server access), then you need to place the files in a level above the web root on the server. This would be at least one folder above where WordPress is installed. You can then enter the file URL like this:
/var/file-name.ext
Are you familiar with how to do that?
But anyone who knows your extension can access files directly through the web browser. I don’t know how to do the solution you are talking about. Can’t the extension protect the files with an admin-only permission added to the folder?
They can only access it if they know the exact path and file name, which is very unlikely. Notice that if you go to yoursite.com/wp-content/uploads/edd/ it will give you a permission denied error.
This issue has been completely resolved in the next release, v1.6.
I have not been able to prevent this either through the plugin or any adjustment to the code, but added the following lines to my htaccess file:
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC]
RewriteRule \.(doc|docx)$ – [F]
Done one test through the cart and seems to work perfectly (so far). Can purchase but not access directly. Just add the file formats you want blocked in the third line.
The next version of EDD will use these rules:
Options -Indexes
deny from all
<FilesMatch '\.(jpg|png|gif)$'>
Order Allow,Deny
Allow from all
</FilesMatch>