Photos in password protected posts aren't protected (4 posts)

  1. Hannes
    Posted 7 years ago #

    I was posting my first password protected blog post yesterday. I added a lot of photos to that post using the WP media manager. Well, everything looked good - I couldn't read the post without entering the password. But then I tried opening a photo from the post directly in another browser (where I hadn't entered the password) - and I could see the photo without entering the password.

    Is this normal behavior? I would think it would be logical that in a protected post everything that belonged to that post (attachments, photos, etc.) would also be protected.

    Any news on whether this is a known problem that is being worked on? Or is there anybody that can provide a solution to prevent this - so people are asked for a password also on pages for individual photos?

    There is a chance that I just need to add something to my theme - I based it on the default Kubrick theme when I started my blog (early 2006).


  2. figaro
    Posted 7 years ago #

    The post password only protects information that is in the database. And I emphasis the word "protect"...don't even think of that as the same thing as being "secured". The post password is stored in the post table in plain text (unencrypted), so it simply provides a very low level of protection to that information.

    In a default WP install, your uploaded images/files are stored in the uploads directory in your file system...not the database. This directory is in public_html, so any file/image you upload will be available to anyone who knows the url to the image/file...the password doesn't protect that file.

    In other programs, I have installed the file upload directory outside public_html to protect the uploaded files from being directly browsed through the web, but I haven't tried this in WP, so I'm not sure if it would work in WP...I may experiment with this later to see if it will work.

  3. Hannes
    Posted 7 years ago #

    @figaro: OK, thank you. I'm not storing anything super secret but I think it would be nice if all contents of a protected post would be indeed protected.

    I also noticed that comments on protected posts are not at all protected - you can see them in the comments RSS feed.

  4. Hannes
    Posted 7 years ago #

    OK, my bad... I just verified (on another computer) and comments on protected posts are indeed protected in the comments RSS feed - it says "Protected Comments: Please enter your password to view comments.".

    But I can still see the name of the person that left the comment - so that's kind of a "security breach" ;)

Topic Closed

This topic has been closed to new replies.

About this Topic