Support » Plugin: Better File Download » Security

  • Resolved Donald

    (@prilum)


    Hi Nik,
    And thanks again for the updated functionality.
    I was checking out the previous post here about prohibit direct access to the files, and it is possible to access the files directly within the Media folder.
    Do you have any suggestions to prevent unauthorized access to download files?
    How do you prevent access to download files on your sites (since the “Upload” function only links to the Media folder which creates a common open access)?

    Would it be possible to change the associated folder in the plugin to go to another selected folder specific for download files (or a folder within the plugin itself)?
    (Separating the Media folder from the download files would be a big problem solver, at least security wise)

    Looking forward to your input.
    Thanks,
    Donald

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author ndhaddon

    (@ndhaddon)

    Hi Donald,

    Iโ€™ll give it some thought but in the mean time you could try something like this post recommends…

    https://www.google.com/amp/s/upstreamplugin.com/protect-image-file-uploads-wordpress/amp/

    I hope it helps.

    Nik

    Thanks for the info Nik,
    However, the direct access to browse the upload folder is protected by the .htaccess and server settings, but I guess I did a poor job explaining what I meant. ๐Ÿ™‚
    I have experience files (pdf files) showing up in search engines and there is nothing preventing any access if you have the direct link to the file, or just manage to guess the name (hence also the url) of the file.

    My client provide documents, kind of info documents, to their logged in user and that could contain phone numbers, e-mail adresses and such.
    I also use a Membership plugin restricting the access to pages based on membership plans, and therefore I can restrict the access to the file if it is processed thru the Better File Download entry (but not if it is accessed thru the direct URL to the file in the Upload folder).

    I have read somewhere (Can’t remember were), that it is possible to code the .htaccess, so that when someone try to access (open) a pdf file by using the direct link, the .htaccess rule check the file format (i.e. pdf) and if the opening action is going thru a specific URL, otherwise the access will be denied (even if you use the direct link to the file in the Uploads folder).

    For example: say i have a file here http://mydomain.com/wp-content/uploads/my-pdf-file.pdf
    I use Better File Download, and have included a download on a page.
    The URL will then be changed to http://mydomain.com/bfd_download/my-pdf-file.pdf/
    The .htaccess will check if the request is made for a .pdf format file, and that the URL is “http://mydomain.com/bfd_download/”. If the requester use the direct link to the pdf file in the Uploads folder (or whatever folder is used), the server will reject the access.

    Would it be possible to use such a method with Better File Download? ยจ
    Any experience with that?

    I know my question might be outside the plugin support area, but I thought – if this is possible, the plugin could add the rewrite rule in the .htaccess file with the installation providing a gold solution without any work within the plugin codes. ๐Ÿ™‚

    • This reply was modified 11 months, 1 week ago by Donald.
    Plugin Author ndhaddon

    (@ndhaddon)

    Hi Donald,

    I really, really don’t want to mess with peoples .htaccess files ( I spent a week performance tuning mine ) however, if you want to restrict access to the uploads folder to logged in users only you could try this approach…

    https://orbisius.com/blog/restrict-access-wordpress-uploads-folder-logged-users-p3662

    However… I have not tried this and do not know how effective it is.

    I hope it helps ๐Ÿ™‚

    Nik

    Thanks Nik for linking to my article ๐Ÿ™‚

    Slavi

    Thanks Nik, and you are totally right not to affect any setups of the .htaccess files. That just came out of me, in an exited creative mode, without thinking (brain storming). ๐Ÿ˜€
    The main thought was if you had any experience with restricting access by checking if the request was made with a specific URL. (not all requests to a file format, since there might be documents meant for public visitors as well, not only to logged in users)
    But thanks for the link (and to Svetoslav providing the information).
    I will check it out, and if it works I might be able to tweak it to fit the target site. ๐Ÿ™‚

    Cheers

    Plugin Author ndhaddon

    (@ndhaddon)

    Glad I was able to point you in the right direction ๐Ÿ™‚

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Security’ is closed to new replies.