Support » Plugin: WooCommerce » How to Create WooCommerce Secure Downloads

  • Resolved meg12345


    Hi, thanks in advance for your help. Iā€™m new to this!

    Iā€™m trying to follow these steps to secure my downloadable music albums. I am using cyberduck to place my downloadable files in a folder above my webroot and copying that info into my woo commerce downloadable file.

    The people in the comments seem to be having the same trouble as me.

    If i use
    I get an error stating that it cannot be used as it does not exist on the server.

    If I copy
    everything appears fine until I go to open my purchased file, then I receive this error:

    Not Found
    The requested URL /downloads/test was not found on this server.
    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
    Apache Server at Port 80

    Are these steps necessary?
    thanks for your help!

Viewing 8 replies - 1 through 8 (of 8 total)
  • Hello meg1234!

    I am not sure if I understand it right, so please help clarify this a bit šŸ™‚
    /downloads/test is the place where Woocommerce should put the file after it is purchased, or that is the place you are uploading with your FTP software (it is not really relevant if you are using Cyberduck or something other).

    When you are uploading something above webroot, that means it cannot be downloaded through any… link, that is the sole purpose.

    Now, in my experience two possibilities may occur which are the most common.
    First, try removing the ftp part from, try downloading through this link: and see how it does. Usually the serves only for connecting to the FTP service, it is important for the server to distinguish if a web browser or an FTP software is trying to connect (the latter can and should be able to upload, modify and delete files, while the first one should not be able to do these).

    The other possibility is that WordPress does not have proper file permissions, so it cannot do the co[pying of the file from the “secure” location above your webroot, to your download location. That is something that your web hosting provider could solve for you.

    Please let me know how it goes šŸ™‚


    Thanks so much Balint,

    The test portion is the test text file I was playing with. It is the file I wanted to allow people to purchase through woocommerce, and download. Once I get this sorted out, it will be a music album.

    When I remove the ftp I get another error
    ERROR 404

    My test file is currently stored above my webroot though, so I believe this is where I am misunderstanding.

    The reason I was doing this was as I understand it, It prevents the link from being copied and redistributed as explained in this article:

    Would you please skim it for me and let me now if the directions in this article are not necessary/impossible to do?

    If I upload my files straight through the “choose file” window are they at risk of being passed around? I plan on learning more about .htaccess rules next.

    My next step right now is to look into the file permissions. Thanks so much for your patience and assistance. šŸ™‚

    My web hosting provider is struggling to help me. They changed my file permissions but it makes no difference to my outcomes. I can’t tell if what I am trying to do by storing the files above my webroot is possible.

    ETA: I suppose what I’m really asking is how to ensure the safety of the files I wish to sell. Is it necessary to create a non-publicly accessible or encoded link to my files. How is that best done?

    • This reply was modified 2 years, 7 months ago by meg12345.

    What you are trying to achieve is the proper way to ensure that your files cannot be downloaded without purchasing. Everything inside your website directory can be downloaded if somebody has the link, so the best way is to put outside your webroot (the “webroot” is usually a folder called www or public_html or your domain name).

    At this point it does not make any difference what kind of file is it.

    So let’s continue with trouble shooting, although some of the things I mention should sound silly, it is not meant as an offense, just it is best to rule out these as well.

    Please double check that in the WooCommerce setting, the file path for your files is right. I am referring to the place where it is uploaded outside of the webroot. It is different for every webhost, and you should not post it here, but for example I have just installed an empty WordPress site to help testing for you.

    I would like to ask, how did you get the link you are trying to download the file with? Did you make a test purchase, and got a download link on the website or through email? One of the purposes of the secure download function is the ability to limit the number of downloads, and how many times the file can be downloaded by a specific user after he purchased the item. For this, the download link should look like something like this (just copied from the article):

    As you can see, there are some additional informations in the link, as the order number, the customer’s email, and also a security code. This makes sure that the download is valid, that the user has successfully ordered and bought the item and can download the file. Without those, it should not be possible to download the file, since it is guessable, and this way it is not secure.

    An other question is, how does your File Url look like? (Please don’t post it, that should be a secret). Does it begin with http or ftp, or it is something different, like /var/www... or /public_html/...?


    • This reply was modified 2 years, 7 months ago by Balint Toth.

    Thanks so much Balint, it’s very helpful to know that this is worth doing!

    My downloads folder which I created and have been trying to purchase from is created outside my public_html. (on the same level as it is)

    Yes, I used stripe to make a test purchase, and the link came up on the next screen, and when this was opened I am receiving my error. I also got an email with the link to download, but have not been trying those.

    I have tried several combinations for file urls which I have been getting by copying them through cyberduck and transmit as described in the article. The ones that give me the link begin with http. The ones beginning with ftp seem to give me an error immediately:

    The downloadable file
    ftp://xxx(my server number)xxxxx/downloads/xx(my file name) cannot be used as it does not exist on the server.

    For the file urls beginning with http, my file looks like this:

    I appreciate your attention to detail here, thanks so much for your continued support.

    Thank you for the answers.

    Maybe it is silly, but please try to change the file to something that will be sold on the website, some kind of audio file. There are some webhosts where the file types are limited, maybe there is some kind of limitation for the .txt file you are trying to download here.

    Just an other thing to check, please make sure that your file name does not conatin any spaces and capital letters. On Linux based servers (most of the hosting companies use Linux nowadays) the file names are case sensitive, meaning Track_001.mp3 does not mean the same as track_001.mp3, and spaces can make some weird issues. While you do that I am investigating further šŸ™‚


    Hello again!

    I think I have a solution for you šŸ™‚ I suggest that you use absolute path for your files. Since the files are on a location that cannot be reached through a regular url like, it is best to use absolute path, which for example on my server looks like something like this: /home/user/testdownloadfolder/file.mp3 but as I mentioned it earlier, these paths look different for every server.

    Now, how to get that absolute path is a bit tricky. If you are comfortable with terminal and can access your hosing through SSH, these are the steps:

    • Locate the download folder, like cd ~ and then cd foldername
      with the pwd command you will get the absolute path for your folder, something like /home/username/www/ or similar.
    • Now when you have the absolute path for your secure folder, that will be the same for all of your files in that folder, you just need to add the file names to it, and put that into the File Path textbox in WordPress. Please make sure to delete any http:// or ftp:// from the beginning, this path should begin with a single / sign (or \ if it is Windows based, but whatever pwd gives you is the one you have to use).
    • Now just for precautions, make a new test order if you can, because it is most likely that when you changed the path for the file, the security code generated for a previous test download has become invalid

    The other way to find out the absolute path is by asking support to tell it you, you can request the absolute path to that folder, or that file, later you will only have to change the file names in it respectively.

    Please let me know how it goes.


    • This reply was modified 2 years, 7 months ago by Balint Toth.

    THANK YOU!!!!

    It worked!! šŸ˜€

    I really really appreciate your perseverance with this issue. The solution was so simple!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘How to Create WooCommerce Secure Downloads’ is closed to new replies.