Quickest To Set Up, Easiest To Use
Thank you for the feedback. This is an issue that we have continuously worked on improving.
In v1.5 we introduced a new feature that completely resolves the issue. Have you seen the new Symlink File Downloads feature added to Downloads > Settings > Misc?
FYI: WooCommerce does not prevent direct linking to file downloads. That is actually not possible in PHP at all. The file download process in EDD is actually identical to WooCommerce, with the exception of the X-File-Send feature, which is something we’re working on implementing.
I would also add that the only way for someone to find the direct file URL is to know the exact file path and name of the file, which is extremely unlikely. The folder the files are stored in cannot be browsed, so it requires the complete URL. Likelihood of someone guessing that is probably 1/100000.
Thanks for your response.
But many people can guess the direct URL. A quick look at the source would reveal that I use EDD plugin. Then they’d know by default uploads are stored in PATH REMOVED And file names are easy to guess in my case because my file names must match the downloads post title. (in the case of selling WordPress themes, file names will be easily guessed)
It will boil down to guessing the year and month of the upload.
WooCommerce redirects away from downloadable products (I guess via .htaccess). I only say this because I tested it with that plugin. I tried downloading directly, and it did not let me.
I saw the Symlink File Downloads setting, but I had no idea what that refers to. I’ll look into it. Thanks Pippin. Increased rating.
I’d suggest making your filenames more difficult to guess, just as a general rule of thumb.
I will look into how WooCommerce is doing again, but last time I checked we did it exactly the same way, in terms of how the files are protected.
FYI: I’ve just reviewed WooCommerce’s file download / protection process and they have far less protection than EDD. As far as I can tell they don’t even create a .htaccess file.
I’d be happy to be wrong so that I can take from WooCommerce, so if you learn otherwise, ping me and I’ll do what I can to implement it.
I just retested WooCommerce on a fresh install of WP. It still blocks me from downloading products.
Here’s my sample product URL if you’d like to try it:
I see that they did place an .htaccess inside /wp-content/uploads/woocommerce_uploads/. The .htaccess only contains “deny from all”. But only the actual digital products go into that directory. They put product thumbnails and other attachments in the regular /wp-content/uploads/2013.
I had abandoned WP-eCommerce (getshopped) plugin because they didn’t protect downloadable products. I was happy with WooCommerce until I heard about EDD. I still prefer EDD because of the light, clean code. But I can’t go live with EDD as it is. I came up with a solution to my problem. I drop the following into the .htaccess file that sits in the PATH REMOVED directory. I paste it underneath your “Options -Indexes” line:
# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /wordpress/ RewriteRule .\.zip$ /index.php [L] </IfModule> # END WordPress
I’m not sure how safe it is, but it seems to work. I will only sell .zip files, so this leaves the thumbs accessible.
Easy fix, if in doubt, shell out $15 (I think) and get the Amazon S3 extension. Its a small price to pay for “definitive” peace-of-mind, and you get the benefits of fast downloads, reduced hit on your own server… blah blah blah.
Have a great day.
This issue has been completely fixed in v1.6: https://github.com/easydigitaldownloads/Easy-Digital-Downloads/issues/1160
Note: even with the current version, you can simply enable the Symlink File Downloads option to completely get rid of the issue.
Thank you. I haven’t tried Symlinks yet, I didn’t think it would make a difference if the actual file is stored in the same folder, only the link is a mask, correct?. I will give it a try when I get a chance.
Is there any way to delete my post from above (referencing the path)? I apologize for being explicit about the uploads path. It was just an honest review, and at the moment I was upset at that issue because it was the only 1 flaw in an otherwise excellent plugin that I really wanted to use. It’s the best plugin I’ve seen for digital products.
Correct, the link is a mask, so technically the file is still linkable, but the file URL is never, ever revealed.
The updates I did today (for the next version), completely remove the issue though.
I can edit the path for you.
Glad to hear you like it!
- The topic ‘Quickest To Set Up, Easiest To Use’ is closed to new replies.