403 forbidden when clicking on download

You must add the file using Download Monitor. You can either upload it within Download Monitor or you can add an existing file, but either way you have to “add” it in Download Monitor so you can get an ID for it. I assume in both of your tests you did actually add it and get an ID for your shortcode.

Normally, when you add a file to Download Monitor it will put it in wp-content/uploads/dlm_uploads/someotherstuff… Sometimes that dlm_uploads folder is protected by the webserver. That may be the cause of the 403. That is permissions on the directory if I recall correctly. So, you can change those to fix it, usually. Or you can move the file somewhere else and fix the path in Download Monitor (when you are looking at the detail page of your download in Download Monitor, you will note that over on the right side there is a little note by a checkbox that says something about the dlm_uploads folder being protected and the fact that you may need to move your download somewhere else).

You might not need to do anything other than to check (or uncheck if it’s already checked) the hide/mask url option in the EBD settings. That changes the way EBD accesses the download and may get around the 403 problem without you having to change any permissions or move any files.

hmm I am able to access the file in https://mywebsite.com/wp-content/uploads/dlm_uploads/2016/07/file.pdf when visiting the url but when I used the link given by the email before download plugin https://mspseofactory.com/wp-content/plugins/email-before-download/download.php?dl=be7386128922c7ebac30f6206f135139 It’s a 403 error. what permission do i need to set? I know it can write because it’s adding to the dlm_uploads folder and I can access it but in the downloads.php?dl I can’t

Thank you for responding

and also when I check the curl extension in the email before download settings the popupt throws a 403 forbidden error maybe this can help you help me ??

thanks I really appreciate your help

It looks like php programs in your plugins directory are protected.

For example, this gives a 403 error:
https://mspseofactory.com/wp-content/plugins/email-before-download/checkcurl.php

But this does not:
https://mspseofactory.com/wp-content/plugins/email-before-download/readme.txt

Because the link EBD uses goes to download.php in the plugin directory, obviously that has to be executable by people coming over the net. Most likely you have .htaccess file in your main wordpress directory or in wp-content or in the plugins directory that is blocking execution of php scripts by IP addresses other than 127.0.0.1. Or, it could be in your webserver config files. Assuming you are using Apache, then you will probably see a stanza with the Files directive in it and a .php extension and a deny along with it. Or, it could be a product of a security plugin.

Note that the fact that your EBD form works means that php programs in your plugins directory will run — but only when they are run by wordpress doing something, not when they are directly accessed by someone coming over the net. That is why I suggested that it allows localhost (127.0.0.1).

I use Sucuri Security (https://www.ads-software.com/plugins/sucuri-scanner/) on my site and have it set to harden the wp-content folder (which prevents direct PHP file access).

I’ve addressed this by adding a .htaccess file to the email-before-download plugin folder with:

<Files *.php>
allow from all
</Files>

So this one plugin can directly call PHP files. That said, it would be nice if this plugin were to be made to work without needing to directly call PHP files since none of the other plugins I use have an issue with this security enhancement (I’d imagine there’s a way to make it work allowing the site to be more secure).

Many of the features of the plugin require the link to download the file to go to a php program in order to work (download.php in this case). By making things go through download.php, the plugin can do things like check to see if the link has expired, mask/hide the actual file location behind the download.php?abunchofletters link, decide whether to actually go get the file itself & send it to the visitor (even if a remote URL) or instead redirect the visitor’s browser to the URL of the file, use Download Monitor to get the file information & increment stats, handle error cases like when the file is missing or inaccessible, etc.

I can imagine a few people might not care about any of those features and would be fine if the plugin just displayed a direct link to the download file rather than making it go through it download.php, but you’re the first person to actually mention it.

Frankly, I’m not sure that there’s really that much security benefit to that setting in securi (or wordfence or any other security plugins that do that). If you have found some hole in someone’s system that allows you to write .php files into wp-content, then the fact that you cannot directly access & execute those using your browser is probably not going to stop that many people. All a hacker would need to do is replace some legitimate PHP file of some plugin you have installed & then cause that plugin to execute somehow. If all you have are admin-side plugins, then he would have to wait until you logged in as admin and then his replacement PHP file would run. But, if you had something like a shortcode plugin and you’d used shortcodes on various pages in your site … or if you had a backup program that ran nightly .. or if you had like a mailchimp signup page and a mailchimp plugin .. then he could just replace one of the legitimate PHP files in those plugins and then go to public pages on your site to make one of those plugins run (or wait until your backup program runs) and his code would execute. Securi or Wordfence will detect the change if you have your scan set to do that, but by then it could easily be too late. Anyway, my 2 cents…