Support » Plugin: My Private Site » Protect all files from hotlinking and direct url

  • Resolved richterworks

    (@richterworks)



    This is a great plugin. I just want to be sure that PDFs and other sensitive files within the protected area cant be directly accessed. You mention that there is a way to protect the folder, but dont give instructions or a link on how to do this.

    I added a PDF then logged out and it let me access using the url. I want to be sure its not accessible.

    Thanks in advance!

    https://wordpress.org/plugins/jonradio-private-site/

Viewing 5 replies - 1 through 5 (of 5 total)
  • I’m the original author and am not able to support the plugin myself anymore — David has adopted this plugin and provides support — but I should state that my reference to “protecting a folder” was referring to the ability to stop visitors from listing the names of the files within a folder. That still wouldn’t prevent someone from accessing a PDF file directly with a URL if they knew the file name and folder name.

    I have not really explored all the options for protecting individual files. I believe that Adobe still allows PDF files to be password-protected, but that is pretty user-unfriendly.

    The only other thing that I can think of is what some web hosts call “Hot Link Protection”. The concept is that files from your site can only be accessed from web pages on your site. Hackers could likely trick the mechanism, however. If you are interested, you should do some research on the subject, and explore your web hosting control panel and/or talk to your web host’s support folks.

    Thanks. I thought David was answering these and I read that he was the security guru. I am sure there is a way through htaccess to protect the file, but I am not sure how to do it and if it would hinder access via the website or through RSVP maker which I am also using.

    Sorry! I’ll leave it for David.

    In case you are interested, I did come up with an interesting solution to your problem, at least for PDF files and anything else where your users would not mind seeing a download message box come up.

    See Example #1 on this page: http://php.net/manual/en/function.readfile.php

    But use an full path instead of a relative path (monkey.gif in the code example shown).

    If your web hosting allows it, you could store your PDF files in locations that are not accessible with a URL. For example, my host has a /private/ folder in the same /www/ folder that holds the /public_html/ folder, the root of the domain.

    It would take a plugin in WordPress, or a stand-alone .php file to implement this, as the HTML gets generated before the <body> tag.

    Plugin Author David Gewirtz

    (@dgewirtz)

    Hi, I’m back. Had some family emergencies to deal with. Thanks, Jon!

    Look, this is a powerful plugin, but it’s not a commercial security solution. There are a number of commercial products that are meant to provide robust content restriction. If you’re looking to just generally keep a site private, this will do. But if you want “security guru” level protection, I’d go with a commercial product.

    Also, speaking as a “security guru,” don’t confuse having a clue about security with great programming skills. I teach this stuff, but I’m definitely not a full-time programmer. When you’re dealing with, say, HIPAA-level security, go with a company that puts their full time and an entire team on the problem.

    –David

    P.S. Marking as resolved.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Protect all files from hotlinking and direct url’ is closed to new replies.