Ready to get started?Download WordPress


Absolute Privacy
[resolved] Uploads still publicly visible in complete lockdown mode (4 posts)

  1. Matthias Pabst
    Posted 1 year ago #

    Hi folks!

    Thanks for this plugin which I use for a family site since a few years.

    I noticed that uploaded media (like domain.com/wp-content/uploads/image-123.jpg) are still visible to non-logged-in users in complete lockdown mode. Is this a bug? I think a "complete lockdown" should also block any direct access to the uploads.



  2. Matthias Pabst
    Posted 1 year ago #

    Sorry for pushing this but I think this is a serious issue. All attachments in the upload folder are not hidden in complete lockdown mode. Every non-logged-in visitor has access to the attachments if he knows the permalink. This plugin is not save.

  3. Eric Mann
    Plugin Author

    Posted 1 year ago #

    When you access a file in the uploads directory directly, you aren't going through WordPress at all - you're being passed through to the static file by the web server directly. WordPress can't block that, and neither can Absolute Privacy.

  4. Matthias Pabst
    Posted 1 year ago #

    Hi Eric, thanks for your answer.

    I found a solution which works for me. Via .htaccess a small script checks, if a user ist logged in when trying to access a file. If not, it redirects him to the login page.
    Maybe it's possible to integrate this in your plugin.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic