Approved Product Download Directories confusion

Hello @magicpowers,

Thanks for reaching out with your questions!

How do I know what changes are required and why?

Not necessarily you’d want to do changes. The woocommerce_uploads folder should be enabled by default (green ✔) and this is the available folder for digital files storage.

How can I determine that?

The enabled directory has a green tick mark as you can see here:

and two (2) with the suffix …./woocommerce_uploads/ marked as ENABLED with a tick.

/wp-content/uploads/woocommerce_uploads/ is the directory enabled for digital files storage. All other directories are where any other file (like images) can be stored but are not approved for Downloadable Files. Please remember that this feature allows you to choose where you want to store your Downloadable Files.

You can read more about digital/downloadable products here:

https://woocommerce.com/document/digital-downloadable-product-handling/

Resources for this new feature can be found at these links:

* https://developer.woocommerce.com/2022/04/14/approved-download-directories/
* https://woocommerce.com/document/approved-download-directories/

Best regards.

@rainfallnixfig

thanks for your reply.

However, you have simply repeated what is says in your help articles – which are insufficient as I have already pointed out – rather than answering my specific questions. You leave me and other users to GUESS and fill in the information gaps which is not helpful.

You did not answer my questions at all, which is disappointing as I believe I have outlined them very clearly. If however that wasn’t clear enough – let’s try again:

1. How can I determine the current directory of each of my products? The list you are referring to does NOT identify the product. The path does NOT include the product ID or any other identifier.There is NO storage folder name anywhere in the product editor.. So – exactly how and where can I identify which Approved and unapproved folder shown in the new Approved Folders list belongs to which of my products? – because based on the information displayed – I CAN’T.

2. If I decide to move my downloads from the unapproved folder to the Approved one – HOW exactly can I do that? What is the process? Do I need to change something in the product editor? Please include a screenshot of what exactly needs to be changed. Do I need to go to the cpanel, access the file manager,find my product file, find the WC approved folder and move the product file there? Is there a new setting in WC to do that? Please include a screenshot showing this setting to change the product download folder in the navigation panel as I can’t see it.

I now have this message to protect my site and make the required changes to my product storage folders on every product page (in editor) without giving me ANY instructions HOW to do this!

Can you understand how frustrating it is when you tell the user to change something (or determine the option for new products) without telling them HOW to do this step by step? Do you assume that everyone…knows? Not every WC user is a developer or has a developer on standby.

/wp-content/uploads/woocommerce_uploads/ is the directory enabled for digital files storage. All other directories are where any other file (like images) can be stored but are not approved for Downloadable Files. Please remember that this feature allows you to choose where you want to store your Downloadable Files.

HOW?? You keep repeating your article and still NOT explaining HOW THIS CAN BE DONE!

You did not address my questions 3 and 4 at all.

3. what is the difference between an Approved Directory and not approved, in practical terms? is the download/access security improved?

I actually have to completely block my product pages from the SEO and change the file names to random, as otherwise it is very easy to download the product for free from the product page if it is publicly accessible and found. (could you possibly address this security issue as well?)

4. The two Approved Directories are very different. One is a normal URL, which is fine; but one is a path to a folder in my website’s public directory /public-html/ – and I’m not happy about it. Why was one of my products created in this directory? how? and which one?

Could you please answer all the above questions.

Please don’t refer me again to those help articles as they DO NOT include the information I am seeking.

thanks

Hello @magicpowers,

I’ll gladly help to clarify the documentation, quoting when appropriate.

1. How can I determine the current directory of each of my products?

When WooCommerce is installed it will try to create a new directory named woocommerce_uploads (located inside WordPress’s own uploads directory) and this will be available for file storage.

This means that, unless you went out of your way to upload your files elsewhere, your files will be there.

You can confirm the location by opening each product and checking the file URL.

Link to image: https://snipboard.io/dsX6t2.jpg

The Approved Download Directory list is an additional layer of security.

in many cases, it may be preferable to store files elsewhere (...) The Approved Download Directory feature is intended to help with these challenges.

If by any chance you used a different location, then you need to add that to the Approved Download Directory settings.

2. If I decide to move my downloads from the unapproved folder to the Approved one – HOW exactly can I do that?

WooCommerce will only write to the directory mentioned above. If you want to place your files elsewhere, you would need to do that via FTP, for example. This is not related to the Approved Download Directory feature – it has always been the case if you chose to upload files to directories other than the WooCommerce default.

3. what is the difference between an Approved Directory and not approved, in practical terms? is the download/access security improved?

with Approved Download Directories, we are making a further layer of protection available that will allow site owners to specify a set of trusted locations in which all downloadable files must be stored.

This means that if a product has a file in a directory that is not approved – the download will not work.

I actually have to completely block my product pages from the SEO and change the file names to random, as otherwise it is very easy to download the product for free from the product page if it is publicly accessible and found. (could you possibly address this security issue as well?)

If you use the Force Downloads or X-Accel-Redirect/X-Sendfile download methods, your files are secure and protected from direct linking.

Security concerns with downloadable products are addressed here: https://woocommerce.com/document/digital-downloadable-product-handling/

4. The two Approved Directories are very different. One is a normal URL, which is fine; but one is a path to a folder in my website’s public directory /public-html/ – and I’m not happy about it. Why was one of my products created in this directory? how? and which one?

Like mentioned above, all files uploaded by WooCommerce will go to the default location. Please note that public_html is where your site lives, there’s nothing wrong with the files being there.

Link to image: https://woocommerce.files.wordpress.com/2022/04/approved-download-directories-screen.png

Both locations enabled there are the same. They are alternate paths to the same place, one using the full server path and the other only the site relative path.

Hope this helps!

Hi @magicpowers

I’m sorry that none of our responses were useful to you despite our best efforts to address your concern and help you.

I’m leaving this thread open for a bit to see if anyone is able to add something to what we have already clarified above.

@paulostp

Many thanks for your expanded reply.

Q1 and 2 – thank you. I can see the file location of each product.

However, could you please explain the following points which I find confusing:

As I said in my original post:

When I opened my Approved Product Download Directories list, it shows 6 pathways (folders): four (4) as…./content/uploads… followed by the year and month, not marked as ENABLED, and two (2) with the suffix …./woocommerce_uploads/ marked as ENABLED with a tick.

I have 6 downloadable products. One has 2 files, and another one has 3 files. All of them are in one of the ….content/uploads/year/month…folder.
None is in the …woocommerce_uploads/folder.

1. Why are those 2 /woocommerce_uploads/ folders included in my Approved Product Downloads Directory, ticked as Enabled, if none of my product is saved there?

2. Why only these 2 folders are ticked as Enabled, while the other 4 folders (content/uploads/year/month) are NOT marked as Enabled? This is what is confusing as it says to me that these folders are not valid/ not enabled, and so I have to move my product files saved in those folders to the one marked as ENABLED.

you said

This means that if a product has a file in a directory that is not approved – the download will not work.

Are the folders WITHOUT the Enabled tick still APPROVED?

Regarding the download security – yes, I do use one of these download methods.

1. However, I need to upload my product audio file to the Media Library where it is publicly accessible unless I block the SEO. Even then, I change the file name as it CAN be downloaded if you find that page in the Library. I know, I have tested it myself. If I insert in the browser (on another computer) the URL to the audio file in the library – I can easily play it. My question is – how can I prevent the file download from the media library?

2. The article Digital/Downloadable Product Handling is very helpful, thank you. However it says

By default WooCommerce introduces a .htaccess file to protect your wp-content/uploads/woocommerce_uploads directory, however, this doesn’t guarantee the protection of this directory, since everything depends on the configuration of the server.

and then provides a code to be inserted on the server.

Could you tell me please where exactly do I have to insert it?

many thanks for your help ??

hi @margaretwporg

it looks like our posts have crossed-over.

It took me a while to compose my reply to @paulostp ??

hopefully he can clarify the remaining points.

thanks!

hi @margaretwporg @paulostp

I would appreciate your reply.

I’m not asking for any new information but simply for further clarification.

Unfortunately, the way your new feature is displayed is very confusing and there is no detailed and comprehensive explanation included in your help article.

To you it may be all crystal clear because you have created it, but others need to understand what you know so well that you didn’t include in the article.

The only “new” issue I have raised is how to protect my product files in the media library – however I can post it as a separate post (which in fact, I will).

thanks

Hello,

I have 6 downloadable products. One has 2 files, and another one has 3 files. All of them are in one of the ….content/uploads/year/month…folder.
None is in the …woocommerce_uploads/folder.

That would mean that none of those files was uploaded from WooCommerce, but instead from WordPress’s Media section. When you upload files from the product creation page, those will be uploaded by WooCommerce and, as such, get placed in woocommerce_uploads.

1. Why are those 2 /woocommerce_uploads/ folders included in my Approved Product Downloads Directory, ticked as Enabled, if none of my product is saved there?

Those two entries are WooCommerce’s own upload location, so those are enabled by default as it is already recognized as safe.

2. Why only these 2 folders are ticked as Enabled, while the other 4 folders (content/uploads/year/month) are NOT marked as Enabled? This is what is confusing as it says to me that these folders are not valid/ not enabled, and so I have to move my product files saved in those folders to the one marked as ENABLED.

The remaining directories were added automatically by WooCommerce based on the file paths that it found in your downloadable products. WooCommerce is unable to vouch for the safety of locations other than the one it manages (woocommerce_uploads). So, now it is up to the site owner to either:

• move all downloadable files to WooCommerce’s directory and manually update all products
• or approve the directories WooCommerce found

Are the folders WITHOUT the Enabled tick still APPROVED?

I think I ended up clarifying that above – you would need to enable all the download locations that you want to approve.

1. However, I need to upload my product audio file to the Media Library where it is publicly accessible unless I block the SEO. Even then, I change the file name as it CAN be downloaded if you find that page in the Library. I know, I have tested it myself. If I insert in the browser (on another computer) the URL to the audio file in the library – I can easily play it. My question is – how can I prevent the file download from the media library?

That would be because you uploaded the file to the media library instead of using WooCommerce for the upload. WordPress’s media library is inherently public, it’s where all images attached to posts and pages get placed.

When creating a downloadable product, you should upload the file from WooCommerce instead of picking a file from the media library. This way it will get the appropriate viewing permissions and won’t be viewable from a browser – not even by the site owner.

I would recommend that you edit all your downloadable products to re-upload the files. This way they will get placed in an already approved folder and also get the appropriate file permissions to hide it from public.

and then provides a code to be inserted on the server.
Could you tell me please where exactly do I have to insert it?

That code is only required if you’re using NGINX for your server, and should be placed towards the end of the “server” block in the NGINX configuration. If you don’t know what server you’re using, you can go to WooCommerce > Status and check the “Server info” line in the “Server environment” section.

Link to image: https://snipboard.io/lN5CSO.jpg

Please let us know if additional clarification is needed. We’re happy to help!

…………………………………………………………………..
it’s such a shame that this forum allowed me to type my reply while I wasn’t actually logged on (my login expired) and only when I clicked Submit – it took me to the login page and my reply – on which I spent a lot of time composing and typing – was LOST.

Now I have to start from scratch. Seriously, this forum needs to be improved by NOT allowing any typing if the user is not logged on. I clicked on the link in the email and there was no warning that my login has expired.
………………………………………………………………….
@paulostp

many thanks for your further explanation which is very important as it has revealed the key issues, and now finally everything makes sense.

When creating a downloadable product, you should upload the file from WooCommerce instead of picking a file from the media library. This way it will get the appropriate viewing permissions and won’t be viewable from a browser – not even by the site owner.
I would recommend that you edit all your downloadable products to re-upload the files. This way they will get placed in an already approved folder and also get the appropriate file permissions to hide it from public.

WOW. I have been using WC for several years and have never been aware of that. Even when I reached out to your support few times about the poor download security, I was never told that I was uploading the files to the wrong directory.

The question is – HOW can I upload my media files directly to Woocommerce bypassing the media library?

On the product page there is a field FILE URL where I can paste a copied URL – which I have been picking from the media library. I can also click CHOOSE FILE which also takes me to the media library. Even when I then choose UPLOAD FILE, that file is still added to the media library! I cannot see any option “upload to woocommerce”. Is something missing in my WC plugin?

Could you please include a screenshot or explain how this can be done

So, now it is up to the site owner to either:

1. Move all downloadable files to WooCommerce’s directory and manually update all products, or
2. Approve the directories WooCommerce found

Could you please explain how exactly each of these two actions can be executed? How and where do you move the files and how and where do you approve the directories? Are these instructions somewhere in your help articles?

Once I know the answers to these 3 questions I will be able to ensure that all my downloadable files are in the safe directory.

Looking forward to your reply.

thanks!

Hello @magicpowers,

it’s such a shame that this forum allowed me to type my reply while I wasn’t actually logged on (my login expired)

Yes, that can happen, the www.ads-software.com forums are a bit old-school like that, we don’t get notified when a session expires.

HOW can I upload my media files directly to Woocommerce bypassing the media library?

It would be in the edit product page, via the “Choose file” button and then the “Upload files” section. To clarify further: the WooCommerce files still get uploaded to WordPress’s media directory, but in a separate directory inside it, with viewing permissions controlled by WooCommerce. All files uploaded via the WordPress dashboard located in /wp-admin/upload.php will be public. That’s why you should avoid uploading your downloadable products from that location.

Here’s the full step-by-step in a video, I’m uploading an image file for a downloadable product.

Notice that after the upload:

• the file shows greyed-out in the media library
• the file name changes automatically to include a random string of characters
• I’m unable to view the file using the direct URL

Link to GIF: https://s8.gifyu.com/images/Peek-2022-05-21-10-45.gif

Could you please explain how exactly each of these two actions can be executed? How and where do you move the files and how and where do you approve the directories? Are these instructions somewhere in your help articles?

Later in that reply, I shared my personal recommendation like this: I would recommend that you edit all your downloadable products to re-upload the files. This way they will get placed in an already approved folder and also get the appropriate file permissions to hide it from public.

I still stand by it, you would follow the steps shown in the video above. After the re-upload, you could then remove the old files from the media library.

The other options mentioned earlier are alternatives that are adequate if you don’t re-upload the files.

To move files across directories, you would need to access your server via FTP or use the file manager if you have cPanel. It’s not something you would do from WordPress. Your web host will be able to help you with that.

As for approving directories:

• you would go to WooCommerce ? Settings ? Products ? Approved Download Directories
• place your mouse over the location you want to approve
• click “Enable”

There’s also a switch to enable/disable the whole approved directory feature in the Start Enforcing Rules/Stop Enforcing Rules button. Here is a video demonstration of the process:

Link to GIF: https://s8.gifyu.com/images/Peek-2022-05-21-11-13.gif

Please note that approving directories will not make them more secure. The site owner is just signaling to WooCommerce that they are okay with these directories being used for downloadable products. It’s up to them to make the locations secure.

If you’re not sure what’s the best option for you, I would recommend the procedure shown on the first video.

Hope this helps!

• This reply was modified 2 years, 5 months ago by Paulo P - a11n.
• This reply was modified 2 years, 5 months ago by Paulo P - a11n.

@paulostp

thank you so much! this is GOLD….

I really appreciate your time and effort you have kindly put into this conversation to help me – and hopefully many other WC users – understand the more obscure parts of the plugin functionality.

Just out of curiosity – is this vital information about properly uploading the product files included somewhere in your help articles? I have read all the articles (I believe) on downloadable files yet have not seen this advice anywhere.

If not, I hope that it will be soon included there ??

many thanks!
best wishes
Anna

Hi Anna,

We are pleased to hear that you found the additional explanations from Paulo helpful.

Just out of curiosity – is this vital information about properly uploading the product files included somewhere in your help articles?

Instructions on how a digital product file should be uploaded in the admin product page via the Add file button are covered at this URL:

https://woocommerce.com/document/digital-downloadable-product-handling/#downloadable-simple-products

If you think that’s not clear enough or more information should be added to the Digital/Downloadable Product Handling and Approved Download Directories support documentation, you can make your improvement request on our Ideas Board.

Please do not hesitate to let us know if we can be of any further assistance.

Hi @rainfallnixfig

thanks. Yes, I have seen this article before.

While it provides the necessary steps, it is missing the vital information along the lines of
“only uploading the file via the CHOOSE FILE button will ensure its secure downloads as it will be saved in the Woocommerce directory” – or something to this effect.

Not knowing this crucial difference between these two methods of the file upload is am unintended trap of having downloadable files exposed to unauthorised downloads.

Your recent introduction of the Approved Download Directories has inadvertently brought this gap to light, which is a great side effect and outcome.

thanks again for your help!

@rainfallnixfig

I wanted to post my improvement request on your Ideas Board, as you have suggested.

It asked me to login. It didn’t accept my password. I requested a password update. I got an email with a magic link to login.

The LOGIN button in the email does not work. The “button not showing? Click here” link does not work

I can see the links on hover but they are not properly linked up in the email.

So unfortunately, I can’t post my improvement request. I’ve tried.

Hello,

thank you so much! this is GOLD….

Thank you for using WooCommerce! I’m glad we were able to solve the issue and make the site more secure in the process. ??

unfortunately, I can’t post my improvement request

That’s a shame, I’ll see if there’s an internal channel I can use to report that improvement.

I see the topic is already marked as “resolved”, so if you need help with anything else, please open a new topic.

Thanks!