Suggestion to improve security

  • Handoko

    (@handoko-zhang)


    10 years, 1 month ago

    First I want to say thank you for creating this awesome plugin. I’ve tried many similar download plugins, but this is the best.

    For some personal reasons, I want to prevent users to access the direct download URL (perhaps visitors that come from bookmark). So users must visit the download page to click the download button.

    For example:
    My download page is: example.com/download-game/
    That page contains information about the game and the download button. The downloadable file is password protected. If someone clicks the button, he will be redirected to (for example): example.com/?ddownload=12. The link can be bookmarked and share to someone else along with the password.

    After some researches, I found this .htaccess code can be used for preventing direct access to the download URL:

    RewriteEngine On
RewriteCond %{HTTP_REFERER} !example\.com [NC]
RewriteCond %{QUERY_STRING} (ddownload=\d+) [NC]
RewriteRule ^(.*)$ /$1? [R=301,L]

    It maybe not the best solution, but so far it works. Perhaps this .htaccess trick can be added as a feature to improve the security.

    https://www.ads-software.com/plugins/delightful-downloads/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Brian

    (@bwold)

    Absolutely agree with this. Would love to see this as an option in a future release. For now, I’ve created a similar .htaccess file inside /wp-content/uploads/delightful-downloads/ with the following (replacing “example” with the site domain):

    # BEGIN Restrict Access to stop direct download
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} !example\.com [NC]
RewriteRule ^(.*)$ / [R=301,L]
</IfModule>
# END Restrict

    So in the event that the referer is not the correct site, I’m just bouncing people to the site Home Page, with no explanation. If you choose to include something like this, perhaps the plugin might go a step further and rewrite to an error page with custom message text.

    Still, kudos for a nice plugin!

    Plugin Author A5hleyRich

    (@a5hleyrich)

    Hi,

    I’m reluctant to add something like this into the core plugin because it’s very server specific. That said, I may create an article in the documentation which shows how to achieve something similar on both Apache and Nginx.

    Thanks,

    Ashley

    I am working with this plugin for a client who loves it. We keep getting 403 Forbidden. I saw the FAQ saying that is caused by not using the short code, but this is happening when using the short code.

    I found .htaccess file in /wp-content/uploads/delightful-downloads/ and the directives in there are:

    Options -Indexes
    deny from all

    I wonder if our problem might be related to that.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Suggestion to improve security’ is closed to new replies.