Security

  • Resolved nmwoods123

    (@nmwoods123)


    2 years, 7 months ago

    Hi. We are looking at using the plugin to put the downloads on a private page. Are the downloads hidden from the public, both in the file system and the website?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Lana Codes

    (@lanacodes)

    This is a complex question, I will try to give a detailed answer:

    – If you upload the file using the “Download” post type file management part, it will go to the /uploads/lana-download/ folder, where direct file access is prohibited, so https://lana.codes/wp-content/uploads/lana-download/file.pdf is not accessible to anyone. So direct file access is disabled (it always works that way).

    – You can only download the file via the download permalink, for example https://lana.codes/download/1201/

    But knowing the download permalink, there is no limitation. If someone knows the download permalink and sends it to anyone else, they will be able to download it.

    If you set the “Download” post type to private in the settings, the post type will not be publicly listed, so the link is not easily accessible publicly.

    But if, for example, you want the link to be available only to logged-in users, then that would require development and modification.

    If you have any further questions, feel free to contact me.

    Thread Starter nmwoods123

    (@nmwoods123)

    That’s great, thanks you for your quick and detailed response, much appreciated.

    I have set up a test on a stage site and have found that I can directly access the file that was uploaded download post type file management to my lana-download folder (e.g the equivalent of https://lana.codes/wp-content/uploads/lana-download/file.pdf in your example). Am I doing something wrong or misunderstanding?

    Plugin Author Lana Codes

    (@lanacodes)

    Hm, I forgot to say that restricting direct file access works for the following web servers: Apache and LiteSpeed.

    So if your localhost web server is Nginx, it doesn’t work there.

    But if your web server is Nginx, then a separate limiting solution must be applied, I think I can help you with such a limiting setting for your web server.

    You can check here:

    Tools > Site Health > Info > Server > Web server

    Thread Starter nmwoods123

    (@nmwoods123)

    Hi, it is using apache:

    Server architecture Linux 3.12.18-clouder0 x86_64
    Web server Apache

    Plugin Author Lana Codes

    (@lanacodes)

    Hm, that’s weird then. Could you send me the link to the website? Also the link of the file? So I can test it.

    You can also send by email: [email protected]

    Plugin Author Lana Codes

    (@lanacodes)

    Based on the link sent in the email, I receive this message:

    403 - Forbidden Access to this page is forbidden.

    So it seems to work.

    Thread Starter nmwoods123

    (@nmwoods123)

    Yes, it now works, thank you for investigating. We believe it was to do with the caching we had enabled which uses nginx

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Security’ is closed to new replies.