Title: directory security Last modified: September 20, 2016 --- # directory security * Resolved [genjitech](https://wordpress.org/support/users/genjitech/) * (@genjitech) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/) * I’m trying to secure my downloads directory with htaccess using RewriteCond %{ HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC] but when downloading with filewawy i get access denyed. direct linking to file path outside of fileaway output work as expected. Viewing 15 replies - 1 through 15 (of 16 total) 1 [2](https://wordpress.org/support/topic/directory-security-2/page/2/?output_format=md) [→](https://wordpress.org/support/topic/directory-security-2/page/2/?output_format=md) * Plugin Author [thomstark](https://wordpress.org/support/users/thomstark/) * (@thomstark) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201374) * More info please * [Shanhua](https://wordpress.org/support/users/shanhua/) * (@shanhua) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201462) * Thanks for your quick response by email — but not sure why it came to me, as this is not my question!! * I posted a question after “directory security” — it is titled “Shortcode not producing files on page”. * Thread Starter [genjitech](https://wordpress.org/support/users/genjitech/) * (@genjitech) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201492) * Im using fileaway to list a directory with secured documents. As i do not want anyone to have direct access to files in this directory without being logged in. I wanted some extra security to disallow anyone who doesnt have nor is logged in wordpress to be able to get files.. Adding .htaccess to directory # These next two lines will already exist in your .htaccess file RewriteEngine On RewriteBase/# Add these lines right after the preceding two RewriteCond %{REQUEST_FILENAME} ^.*(doc|docx)$ RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC] RewriteRule.–[ R=403,L] works except with fileaway plugin.. If direct link to file without being logged in wordpress download is denyed If direct link to file after loggin in wordpress file downloads as expected.. BUT if try to download file with link generated with fileaway .htaccess is ignored and is always denyed access to download file * Plugin Author [thomstark](https://wordpress.org/support/users/thomstark/) * (@thomstark) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201506) * More info about your File Away setup. Are stats enabled or disabled. What does your shortcode look like. * Thread Starter [genjitech](https://wordpress.org/support/users/genjitech/) * (@genjitech) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201513) * without adding .htaccess to directory the only security files have is to make sure “Options +Indexes” is turned off, but if direct path is known file is basically public available * Plugin Author [thomstark](https://wordpress.org/support/users/thomstark/) * (@thomstark) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201517) * Where is this htaccess file located? * Plugin Author [thomstark](https://wordpress.org/support/users/thomstark/) * (@thomstark) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201537) * You know you can enable encrypted links in File Away, right? You just don’t want to use that feature? * Thread Starter [genjitech](https://wordpress.org/support/users/genjitech/) * (@genjitech) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201555) * root directory: wp install directory base directory 1: /public_html/secure-content/ base url: genjitech.com (HTTPS) ———- Statistics are disabled —————- [Shortcode][ fileaway type=”table” showto=”administrator,insurance_company,safety_director” search=”yes” searchlabel=”Filter Data Below” mod=”no” redirect=”true” recursive =”on” only=”Accident-Safety” theme=”silver-bullet” heading=”Accident-Reports” hcolor=”blue” color=”blue” iconcolor=”blue”] * Thread Starter [genjitech](https://wordpress.org/support/users/genjitech/) * (@genjitech) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201561) * enable encrypted links is fine and plan on enabling this, but this doesnt fix the fact that with out .htaccess on the directory there is nothing in place to keep someone from just hotlinking the file as its open to the public.. even with encrypted links its not that hard to view source and get the complete path * Thread Starter [genjitech](https://wordpress.org/support/users/genjitech/) * (@genjitech) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201613) * .htaccess tried in the /public_html/secure-content tried /public_html {modifying the main wordpress .htaccess} both yields same results * Plugin Author [thomstark](https://wordpress.org/support/users/thomstark/) * (@thomstark) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201637) * I can’t reproduce anything you’re describing. An htaccess file to protect files would normally go in the directory where the files are stored. * If encryption is disabled, all File Away does is put the link on the page. There’s no difference between that and just manually typing a link to the file. * Please demonstrate to me how you think it is easy to ” view source and get the complete path” with encrypted links enabled, because that’s counterintuitive to me, the plugin developer. * You can have encrypted links enabled AND use an htaccess file to secure your files and you won’t have the problem you’re describing, which I can’t reproduce anyway. - This reply was modified 9 years, 8 months ago by [thomstark](https://wordpress.org/support/users/thomstark/). * Thread Starter [genjitech](https://wordpress.org/support/users/genjitech/) * (@genjitech) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201655) * ok to reproduct the problem add .htaccess file to directory you wish to secure add # These next two lines will already exist in your .htaccess file RewriteEngine On RewriteBase / # Add these lines right after the preceding two RewriteCond %{ REQUEST_FILENAME} ^.*(doc|docx)$ RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.* $ [NC] RewriteRule . – [R=403,L] visit page and click link Apache error| your are not allow by server configuration now load copy the link and past it directly in address bar and file downloads like magic * Plugin Author [thomstark](https://wordpress.org/support/users/thomstark/) * (@thomstark) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201678) * Yeah, nope. That’s what I did. I can’t reproduce your issue. * The simplest way to secure files using File Away is to do this: * [fileaway encryption=”true” type=”table” showto=”administrator,insurance_company, safety_director” search=”yes” searchlabel=”Filter Data Below” mod=”no” redirect =”true” recursive=”on” only=”Accident-Safety” theme=”silver-bullet” heading=” Accident-Reports” hcolor=”blue” color=”blue” iconcolor=”blue”] * Then in the directories where you store your files, add an .htaccess file in each directory that just has two lines: * order deny,allow deny from all * Plugin Author [thomstark](https://wordpress.org/support/users/thomstark/) * (@thomstark) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201746) * Here’s the issue: * The htaccess you are using doesn’t actually prevent direct access to the file, it just prevents downloads. Try it with a jpg and you will see. But a doc file is forced as a download by browsers. * If you use a direct link to the file (i.e., not using file away) and click on it, it will download, but if you right-mouse click and save, it will not download. Same thing in File Away except File Away tells all links to be downloaded, not opened in the browser. Opening the file in the browser actually bypasses your. htaccess file. YOU DON’T WANT THAT. * Use the solution I provided in the comment above for legitimate security. * Thread Starter [genjitech](https://wordpress.org/support/users/genjitech/) * (@genjitech) * [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/#post-8201820) * never mind as i have found the problem. i use wpmu domain mapping and after updating fileaway i can no long choose my mapped domain as base url. even if manual set it in db options always reset back to base network site domain site1.genjitech. com mapped as genjitech.com genjitech.com is not available as base url only site1. genjitech.com which breaks the wp cookie.. * do i need to open a new thread for mapped domain not available to choose as base? Viewing 15 replies - 1 through 15 (of 16 total) 1 [2](https://wordpress.org/support/topic/directory-security-2/page/2/?output_format=md) [→](https://wordpress.org/support/topic/directory-security-2/page/2/?output_format=md) The topic ‘directory security’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/file-away_e3e2e1.svg) * [File Away](https://wordpress.org/plugins/file-away/) * [Support Threads](https://wordpress.org/support/plugin/file-away/) * [Active Topics](https://wordpress.org/support/plugin/file-away/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/file-away/unresolved/) * [Reviews](https://wordpress.org/support/plugin/file-away/reviews/) * 16 replies * 3 participants * Last reply from: [thomstark](https://wordpress.org/support/users/thomstark/) * Last activity: [9 years, 8 months ago](https://wordpress.org/support/topic/directory-security-2/page/2/#post-8201844) * Status: resolved