WordPress.org

Ready to get started?Download WordPress

Forums

Absolute Privacy
[resolved] Uploads still publicly visible in complete lockdown mode (4 posts)

  1. Matthias Pabst
    Member
    Posted 9 months ago #

    Hi folks!

    Thanks for this plugin which I use for a family site since a few years.

    I noticed that uploaded media (like domain.com/wp-content/uploads/image-123.jpg) are still visible to non-logged-in users in complete lockdown mode. Is this a bug? I think a "complete lockdown" should also block any direct access to the uploads.

    Best,
    Matthias

    http://wordpress.org/plugins/absolute-privacy/

  2. Matthias Pabst
    Member
    Posted 9 months ago #

    Sorry for pushing this but I think this is a serious issue. All attachments in the upload folder are not hidden in complete lockdown mode. Every non-logged-in visitor has access to the attachments if he knows the permalink. This plugin is not save.

  3. Eric Mann
    Member
    Plugin Author

    Posted 8 months ago #

    When you access a file in the uploads directory directly, you aren't going through WordPress at all - you're being passed through to the static file by the web server directly. WordPress can't block that, and neither can Absolute Privacy.

  4. Matthias Pabst
    Member
    Posted 8 months ago #

    Hi Eric, thanks for your answer.

    I found a solution which works for me. Via .htaccess a small script checks, if a user ist logged in when trying to access a file. If not, it redirects him to the login page.
    http://www.0to5blog.com/tips/protecting-wordpress-media-uploads-unless-user-is-logged-in/
    Maybe it's possible to integrate this in your plugin.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags