Support » Plugin: File Away » Security issue with intranets still there

  • Resolved hr61369256


    It is still possible to download content of a site, organized as intranet. Means where all pages are only reachable as logged-in user. But the content organized with FileAway is always reachable, despite if you are logged-in or not. Okay, you have to guess the exactly url of a document before you can download it. But it is a security hole which might be used for illegal downloads.

    Tom, is there a working solution within FileAway? … may be already on its way?

    Thank you,

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author thomstark


    This is not an “issue” with File Away. The files exist on your server. If someone knows the file address to any file, it is downloadable.

    Unless you put an .htaccess file in your file directory with a deny from all directive, but that’s your decision. If you do use an .htaccess file though, you will need to either enable stats in File Away options or enable encryption in your fileaway shortcode for downloads to work. And in this case you will not be able to use the flightbox or thumbnails.

    Thank you for your help. I use the plugin All-in-one-Intranet, which locks every wp page from outside. So you can only see the wp pages when you are logged in. Is this .htaccess hint synchronous with the login of wp? Because the .htaccess hint sounds for me like an additional password. Is this requirement feasible on the basis of file away: only single-signed-on wp users have access on every content, file-based and page-based and content cannot be downloaded for not-signed-in users?
    Thanks again.

    Plugin Author thomstark


    There is no password involved with a deny from all directive. It prevents direct access to the files from the browser, logged in or not. Then enabling stats or encryption on your File Away table will mean that when the user clicks on the download link, File Away will then push the file to the browser from the server, rather than the browser trying to navigate directly to the file.

    This should be the content of your .htaccess file:

    Order allow,deny
    Deny from all

    That’s it.

    • This reply was modified 1 year, 3 months ago by thomstark.
    Plugin Author thomstark


    To reiterate, the .htaccess file goes in your top file directory, not your wordpress install directory.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Security issue with intranets still there’ is closed to new replies.