Title: File Security
Last modified: August 31, 2016

---

# File Security

 *  Resolved [captgoodvibes](https://wordpress.org/support/users/captgoodvibes/)
 * (@captgoodvibes)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/)
 * The plug-in works great, but my files can be downloaded by anyone who knows the
   direct link.
    EG: entering the link into a browser – [https://mysite.com/wp-content/uploads/edd/2016/03/example.pdf](https://mysite.com/wp-content/uploads/edd/2016/03/example.pdf)–
   commences a direct download to someone who has not paid. Currently using the “
   redirect setting”. The “forced setting” does not allow any downloads at all, 
   older ones or newly created. The Symlink files option being ticked does nothing
   at all. I tried to create a blank plug-in with the code from this tutorial: [http://docs.easydigitaldownloads.com/article/247-modifying-edd-htaccess-file-rules](http://docs.easydigitaldownloads.com/article/247-modifying-edd-htaccess-file-rules)
   But it also did nothing. I only entered this code into the blank plug-in and 
   no change to the htaccess file. I saved in the admin panel Downloads>settings
   >misc . Still nothing. I tried placing a password on my EDD file through C-Panel
   but this stopped all downloads. I have read every thread, and no solutions. Anyone
   know how to protect your files?
 * [https://wordpress.org/plugins/easy-digital-downloads/](https://wordpress.org/plugins/easy-digital-downloads/)

Viewing 12 replies - 1 through 12 (of 12 total)

 *  Moderator [Pippin Williamson](https://wordpress.org/support/users/mordauk/)
 * (@mordauk)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196201)
 * What happens to the files when using the Forced download method?
 * We’re about to release an update that should resolve the issues with the Symlink
   file downloads. Would you be interested in trying that version?
 *  Thread Starter [captgoodvibes](https://wordpress.org/support/users/captgoodvibes/)
 * (@captgoodvibes)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196237)
 * Hi Pippin,
    I’ll try anything to fix this problem! I am interested to try your
   version that fixes the Symlink files. When I select the Forced download method
   the files cannot be accessed/stolen by entering the direct address into the browser,
   when the Forced setting is saved it sets that command in the htaccess file to
   prevent it. However, all download links fail and any new links created also fail.
   The browser says the file cannot be found, it may have moved or have capitalization
   error. I just took it that my server probably does not support the Forced method.
   Pippin, I am only a novice at this stuff but I have really tried to solve it 
   by researching all your documents and forums. Please carefully explain any answers
   you have so that a novice like me can understand, please!!
 *  Moderator [Pippin Williamson](https://wordpress.org/support/users/mordauk/)
 * (@mordauk)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196253)
 * Here’s a direct download link to the beta version: [https://github.com/easydigitaldownloads/Easy-Digital-Downloads/archive/2.5.10-beta.zip](https://github.com/easydigitaldownloads/Easy-Digital-Downloads/archive/2.5.10-beta.zip)
 * Let me know if you’re unsure of how to install the beta (it’s installed like 
   any other plugin).
 *  Thread Starter [captgoodvibes](https://wordpress.org/support/users/captgoodvibes/)
 * (@captgoodvibes)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196257)
 * Pippin, just to be certain, do I uninstall EDD that I have now, then install 
   this version that I just downloaded?
    Also do I: 1. Place all my files I want
   protected into the file named “symlinks”. 2. Tick the box named “Symlink File
   Downloads?” located at Downloads>Settings>Misc? (save it) 3. I will have to make
   Media Library aware of the files being moved? (The download posts I created will
   no longer be able to locate the files, as the URL’s recorded in Media Library
   will change) I use the plug-in “Add from server” as most of my files are already
   on the server and are too large to upload through add media. This will mean reloading
   all files again, and finally removing the Media Library records that refer to
   the old file location. All this will protect my files in the end, and do you 
   think the plug-in will still work as it does now?
 *  Moderator [Pippin Williamson](https://wordpress.org/support/users/mordauk/)
 * (@mordauk)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196293)
 * First delete the existing version of Easy Digital Downloads then install the 
   new version I sent you.
 * 1. Do not change the location of any files.
 * 2. In the Misc > File Downloads tab, set the method to Redirect and check the
   box for Symlinks.
 * 3. Note: only files placed in wp-content/uploads/edd/ will be protected. Files
   in the regular media library cannot be protected.
 *  Thread Starter [captgoodvibes](https://wordpress.org/support/users/captgoodvibes/)
 * (@captgoodvibes)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196308)
 * Okay Pippin, you make it sound easy! I’ll give it a try over Easter and let you
   know how it works out.
    Thanks for your replies!
 *  Thread Starter [captgoodvibes](https://wordpress.org/support/users/captgoodvibes/)
 * (@captgoodvibes)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196314)
 * Pippin, I had a bit of time just now so I gave it a try.
    Sad to inform you the
   solution has failed. Here is what I did: 1. Deactivated and Deleted EDD Plug-
   in. 2. Installed the EDD plug-in received from you yesterday. Activated it. 3.
   Went to Settings>Misc>Downloads and ticked the Symlink box. 4. Saved settings.
   5. Attempted to access a file located here: [https://mysite.com/wp-content/uploads/edd/2016/03/example.pdf](https://mysite.com/wp-content/uploads/edd/2016/03/example.pdf)
   6. File was immediately downloaded. 7. Copied a file to [https://mysite.com/wp-content/uploads/symlinks/](https://mysite.com/wp-content/uploads/symlinks/)(
   Two files were created with this copy, one identical and another named: example_13347f2fbc4897815.
   pdf / (file is much smaller)) 8. Attempted to access these files in symlinks 
   folder through the browser. 9. Files were immediately downloaded. 10. Rechecked
   all settings – all okay. 11. Tried to “save” at Settings>Misc to see if had any
   effect. – None. 12. Uploaded “Pluginception Plug-in” 13. Created a blank Plug-
   in named “EDD file protector”. 14 Added this code into the blank plug-in:
 *     ```
       <?php
       function edd_custom_modify_htaccess_rules( $rules, $method ) {
   
       	switch( $method ) :
       		case 'redirect' :
       			// Prevent directory browsing
       			$rules = "Options -Indexes";
       			break;
       		case 'direct' :
       		default :
       			// Prevent directory browsing and direct access to all files, except images (they must be allowed for featured images / thumbnails)
       			$rules = "Options -Indexes\n";
       			$rules .= "deny from all\n";
       			$rules .= "<FilesMatch '\.(jpg|png|gif|ogg)$'>\n";
       			    $rules .= "Order Allow,Deny\n";
       			    $rules .= "Allow from all\n";
       			$rules .= "</FilesMatch>\n";
       			break;
       	endswitch;
       	return $rules;
       }
       add_filter( 'edd_protected_directory_htaccess_rules', 'edd_custom_modify_htaccess_rules', 10, 2 );
   
       /*
       Plugin Name: EDD file protector
       Plugin URI:
       Description:
       Version:
       Author:
       Author URI:
       License:
       License URI:
       */
       ```
   
 * 15. Tested access to all files named above. Instant download of all files was
   allowed.
 * Just to note, nothing is added to the htaccess file located in the EDD folder.
   It only reads as: Options -Indexes
 * Any suggestions Pippin?
 *  Moderator [Pippin Williamson](https://wordpress.org/support/users/mordauk/)
 * (@mordauk)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196316)
 * There’s a bit of misunderstanding about how the `Redirect` method works.
 * When `Redirect` is enabled, files are _not_ protected from direct access. They
   are protected through obscurity. The idea of redirects with symlinks is that 
   the real location of the file is never revealed to a customer, but if a customer
   were to know the exact URL (as you as a site administrator do), they could access
   it. Because of the way that file downloads through redirection work, it’s not
   possible to fully block direct access to the files.
 * With the new beta version, the Forced file download method should work. Can you
   tell me if it works properly when using Forced?
 *  Thread Starter [captgoodvibes](https://wordpress.org/support/users/captgoodvibes/)
 * (@captgoodvibes)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196317)
 * Pippin, you have provided the solution!
    The Forced method does work with the
   new beta version. The files are completely protected by the htaccess command 
   it creates. Will the Forced method be able to handle large zipped files being
   downloaded, up to about 300MB? I read in your documents that there may be a problem
   downloading larger files with the Forced method, or is this sorted out in your
   new beta version?
 *  Moderator [Pippin Williamson](https://wordpress.org/support/users/mordauk/)
 * (@mordauk)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196322)
 * Excellent!
 * Large files should work just fine, though sometimes the reliability of large 
   file downloads can be dependent on your server configuration. If you are using
   a low end server, such as from a cheap web host, large files will be less reliable.
   If you are using a high end server from a really good webhost, large files shouldn’t
   be a problem.
 * If you do find that large files are unreliable, two good alternatives are to 
   use Amazon S3 or Dropbox to deliver them:
 * [https://easydigitaldownloads.com/downloads/amazon-s3/](https://easydigitaldownloads.com/downloads/amazon-s3/)
   
   [https://easydigitaldownloads.com/downloads/dropbox-file-store/](https://easydigitaldownloads.com/downloads/dropbox-file-store/)
 *  Thread Starter [captgoodvibes](https://wordpress.org/support/users/captgoodvibes/)
 * (@captgoodvibes)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196330)
 * Thanks for all your assistance Pippin.
    I have made a donation to your site to
   show some appreciation! I will mark this as resolved.
 *  Moderator [Pippin Williamson](https://wordpress.org/support/users/mordauk/)
 * (@mordauk)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196331)
 * Happy to help and thank you!

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘File Security’ is closed to new replies.

 * ![](https://ps.w.org/easy-digital-downloads/assets/icon.svg?rev=3455837)
 * [Easy Digital Downloads – eCommerce Payments and Subscriptions made easy](https://wordpress.org/plugins/easy-digital-downloads/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/easy-digital-downloads/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/easy-digital-downloads/)
 * [Active Topics](https://wordpress.org/support/plugin/easy-digital-downloads/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/easy-digital-downloads/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/easy-digital-downloads/reviews/)

## Tags

 * [file security](https://wordpress.org/support/topic-tag/file-security/)

 * 12 replies
 * 2 participants
 * Last reply from: [Pippin Williamson](https://wordpress.org/support/users/mordauk/)
 * Last activity: [10 years, 2 months ago](https://wordpress.org/support/topic/file-security-2/#post-7196331)
 * Status: resolved