Protecting downloads

  • Resolved Cheryl

    (@tricheryltops)


    2 years, 5 months ago

    Hi,

    I found that I can download a file uploaded to WooCommerce from any device when I’m not logged in and have the link directly to the file.

    I have the following set up:

    • Force downloads
    • downloads require login
    • append a unique filename

      • When I discovered this, I changed the settings to not allow guest checkout, and I found that I needed to “start applying rules” in the downloadable directories settings in WooCommerce.

      The .htaccess for the folder has deny from all.

      I did read the article here:
      https://woocommerce.com/document/digital-downloadable-product-handling/

      My web hosting provider says they cannot do any customization in NGNIX as described in the article.

      How can I protect the files in the woocommerce_uploads directory? I don’t want to completely block access to everything in the uploads directory?

Viewing 1 replies (of 1 total)
  • Plugin Support lionel.a11n

    (@lioneldaniel)

    Hello @tricheryltops,

    When a file is directly accessed via the URL, WordPress is not invoked – so while WooCommerce places an .htaccess file in the uploads directory to promote a secure configuration, no WooCommerce or WordPress settings will protect your file uploads. How such access to files on your site is handled by your web server configuration and is up to your host.

    If your host cannot protect your files with the recommendations in our Digital/Downloadable File Handling documentation, then you might consider a web host which can configure your server securely.

    Even if you move hosts, I recommend continuing to use a download method other than ‘Redirect only’ so your users never see the file location, and checking the option to append a unique string to the filename. Those were good measures to take.

    I’m marking this question as ‘resolved’ since it really is up to your host to configure your web server to prevent direct file access, not WordPress. However, if you have any followup questions feel free to reply, or start a new topic if you have a new question. Thank you!

Viewing 1 replies (of 1 total)
  • The topic ‘Protecting downloads’ is closed to new replies.