Access to uploaded images

  • I have been running some trials with EntryWizard and am very pleased with what it can do to help run our camera club competitions.

    I have a concern over the destination of the uploaded images. The images appear to be saved in subfolders of
    wp-content/uploads/ewz_img_uploads/ which means that anyone can navigate to that URL and view/download the competition entries and the generated CSV.

    Is there any way to configure EntryWizard to store these resources in another folder? Or is the recommendation to change permissions on this folder to revoke access?

    I understand that competition entry images can be referenced from other parts of WP, so perhaps this openness is regarded as a feature?

    Personally, I would like to keep the competition images separate from blog content as I think that users entering the competition would not expect their images to be visible on the blog, or indeed by anyone on the internet that navigates to this folder.

    Not a criticism, I think this is a great plugin, just looking to understand a bit more about the intended use.

    Thanks

    Steve

    https://www.ads-software.com/plugins/entrywizard/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Josie Stauffer

    (@joanne123)

    It’s a good point. I was trying to keep things as simple as possible and follow standard wordpress procedure for uploads.

    It is fairly easy to protect folders, either with an empty index.php file in the folder, or with something like “Options All -Indexes” in your main .htaccess file. That stops anyone from getting a listing of the folder contents, although it does still allow anyone who knows the exact filename to view an image.

    I’ll put it on my ever-growing todo list to see if there is a simple way to set an option that would stop direct access to the images.

    Thread Starter hartleyit

    (@hartleyit)

    Thanks for the explanation Josie, this confirms my thought that the best that can be done with the current release is to configure the Apache access rules for the folder(s).

    Would it be a big change to use a folder other than uploads? Or better still even to have the location configurable when the plugin installs?

    Thanks again

    Steve

    Thread Starter hartleyit

    (@hartleyit)

    Thinking about it further, I’m also concerned about the data which might leak out of the CSV file, as this is also published in a zip file in the uploads directory. In particular usernames, email addresses, and any other ‘sensitive’ elements which might be configured to be included. If these were to leak out it would almost certainly be a Data Protection breach…

    Plugin Author Josie Stauffer

    (@joanne123)

    In version 1.2.4 I’ve added empty index files to all the entrywizard upload folders, plus a .htaccess file in the main one. I’ve also randomized the names of the downloaded files.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Access to uploaded images’ is closed to new replies.