Uploads still publicly visible in complete lockdown mode

  • Resolved Matthias Pabst

    (@matthiaspabst)


    10 years, 6 months ago

    Hi folks!

    Thanks for this plugin which I use for a family site since a few years.

    I noticed that uploaded media (like domain.com/wp-content/uploads/image-123.jpg) are still visible to non-logged-in users in complete lockdown mode. Is this a bug? I think a “complete lockdown” should also block any direct access to the uploads.

    Best,
    Matthias

    http://wordpress.org/plugins/absolute-privacy/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter Matthias Pabst

    (@matthiaspabst)

    10 years, 5 months ago

    Sorry for pushing this but I think this is a serious issue. All attachments in the upload folder are not hidden in complete lockdown mode. Every non-logged-in visitor has access to the attachments if he knows the permalink. This plugin is not save.

    Plugin Author Eric Mann

    (@ericmann)

    10 years, 5 months ago

    When you access a file in the uploads directory directly, you aren’t going through WordPress at all – you’re being passed through to the static file by the web server directly. WordPress can’t block that, and neither can Absolute Privacy.

    Thread Starter Matthias Pabst

    (@matthiaspabst)

    10 years, 5 months ago

    Hi Eric, thanks for your answer.

    I found a solution which works for me. Via .htaccess a small script checks, if a user ist logged in when trying to access a file. If not, it redirects him to the login page.
    http://www.0to5blog.com/tips/protecting-wordpress-media-uploads-unless-user-is-logged-in/
    Maybe it’s possible to integrate this in your plugin.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Uploads still publicly visible in complete lockdown mode’ is closed to new replies.