Title: File uploads .. Security issue
Last modified: November 15, 2022

---

# File uploads .. Security issue

 *  Resolved [dakman](https://wordpress.org/support/users/dakman/)
 * (@dakman)
 * [3 years, 6 months ago](https://wordpress.org/support/topic/file-uploads-security-issue/)
 * So I was cleaning a clients server and noticed imported zip files are stored 
   with 644 permissions in wp-uploads/wpallimport/ with no .htaccess file preventing
   public downloads!! Also, this persists even if the plugin is deleted (eg the 
   uploads folder) and contents remain intact.
 * Yes the file names are long but this is a major risk as it is possible for these
   files to be downloaded (which may include customer data) if someone is able to
   find the specific zip file name, public URI and access the specific path.. [http://www.example.com/wp-content/uwpallimport/xxxx-mylong-backupname-withdate.zip](http://www.example.com/wp-content/uwpallimport/xxxx-mylong-backupname-withdate.zip)
   etc
 * Glad I caught this in case somehow google indexed or some how discovered these
   uploads! Extremely unlikely but just saying someone else/plugin developer might
   find this helpful in hardening the plugin or their specific wordpress instance!
    -  This topic was modified 3 years, 6 months ago by [dakman](https://wordpress.org/support/users/dakman/).
    -  This topic was modified 3 years, 6 months ago by [dakman](https://wordpress.org/support/users/dakman/).

Viewing 1 replies (of 1 total)

 *  Plugin Author [WP All Import](https://wordpress.org/support/users/wpallimport/)
 * (@wpallimport)
 * [3 years, 6 months ago](https://wordpress.org/support/topic/file-uploads-security-issue/#post-16238605)
 * Hey [@dakman](https://wordpress.org/support/users/dakman/),
 * As long as “Randomize folder names” is enabled in WP All Import’s settings, we
   use a randomized folder name to store the files; but, you’re correct that you
   can use a .htaccess file to prevent downloads from those folders if you wish 
   to make certain that nobody can download them.

Viewing 1 replies (of 1 total)

The topic ‘File uploads .. Security issue’ is closed to new replies.

 * ![](https://ps.w.org/wp-all-import/assets/icon-256x256.png?rev=2570179)
 * [WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets](https://wordpress.org/plugins/wp-all-import/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-all-import/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-all-import/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-all-import/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-all-import/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-all-import/reviews/)

 * 1 reply
 * 2 participants
 * Last reply from: [WP All Import](https://wordpress.org/support/users/wpallimport/)
 * Last activity: [3 years, 6 months ago](https://wordpress.org/support/topic/file-uploads-security-issue/#post-16238605)
 * Status: resolved