Absolute Privacy
[resolved] Uploads still publicly visible in complete lockdown mode (4 posts)

  1. Matthias Pabst
    Posted 2 years ago #

    Hi folks!

    Thanks for this plugin which I use for a family site since a few years.

    I noticed that uploaded media (like domain.com/wp-content/uploads/image-123.jpg) are still visible to non-logged-in users in complete lockdown mode. Is this a bug? I think a "complete lockdown" should also block any direct access to the uploads.



  2. Matthias Pabst
    Posted 2 years ago #

    Sorry for pushing this but I think this is a serious issue. All attachments in the upload folder are not hidden in complete lockdown mode. Every non-logged-in visitor has access to the attachments if he knows the permalink. This plugin is not save.

  3. Eric Mann
    Plugin Author

    Posted 2 years ago #

    When you access a file in the uploads directory directly, you aren't going through WordPress at all - you're being passed through to the static file by the web server directly. WordPress can't block that, and neither can Absolute Privacy.

  4. Matthias Pabst
    Posted 2 years ago #

    Hi Eric, thanks for your answer.

    I found a solution which works for me. Via .htaccess a small script checks, if a user ist logged in when trying to access a file. If not, it redirects him to the login page.
    Maybe it's possible to integrate this in your plugin.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Absolute Privacy
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic