Security
-
Hi Nik,
And thanks again for the updated functionality.
I was checking out the previous post here about prohibit direct access to the files, and it is possible to access the files directly within the Media folder.
Do you have any suggestions to prevent unauthorized access to download files?
How do you prevent access to download files on your sites (since the “Upload” function only links to the Media folder which creates a common open access)?Would it be possible to change the associated folder in the plugin to go to another selected folder specific for download files (or a folder within the plugin itself)?
(Separating the Media folder from the download files would be a big problem solver, at least security wise)Looking forward to your input.
Thanks,
Donald
-
Thanks for the info Nik,
However, the direct access to browse the upload folder is protected by the .htaccess and server settings, but I guess I did a poor job explaining what I meant. 🙂
I have experience files (pdf files) showing up in search engines and there is nothing preventing any access if you have the direct link to the file, or just manage to guess the name (hence also the url) of the file.My client provide documents, kind of info documents, to their logged in user and that could contain phone numbers, e-mail adresses and such.
I also use a Membership plugin restricting the access to pages based on membership plans, and therefore I can restrict the access to the file if it is processed thru the Better File Download entry (but not if it is accessed thru the direct URL to the file in the Upload folder).I have read somewhere (Can’t remember were), that it is possible to code the .htaccess, so that when someone try to access (open) a pdf file by using the direct link, the .htaccess rule check the file format (i.e. pdf) and if the opening action is going thru a specific URL, otherwise the access will be denied (even if you use the direct link to the file in the Uploads folder).
For example: say i have a file here http://mydomain.com/wp-content/uploads/my-pdf-file.pdf
I use Better File Download, and have included a download on a page.
The URL will then be changed to http://mydomain.com/bfd_download/my-pdf-file.pdf/
The .htaccess will check if the request is made for a .pdf format file, and that the URL is “http://mydomain.com/bfd_download/”. If the requester use the direct link to the pdf file in the Uploads folder (or whatever folder is used), the server will reject the access.Would it be possible to use such a method with Better File Download? ¨
Any experience with that?I know my question might be outside the plugin support area, but I thought – if this is possible, the plugin could add the rewrite rule in the .htaccess file with the installation providing a gold solution without any work within the plugin codes. 🙂
The topic ‘Security’ is closed to new replies.
