Upload directory browsable notice.

Hello,

This could be a false positive message. I looked around and found a similar issue here: https://www.ads-software.com/support/topic/your-stores-uploads-directory-is-browsable-via-the-web-we/

To remove that notice, you can apply the code below:

add_filter( 'uploads_directory_is_public_notice', '__return_false' );

I would recommend using a plugin like?Code Snippets?to add the snippet to your site.

https://woocommerce.com/document/customizing-woocommerce-best-practices/#section-4

Hi @maykato,

I also looked around and found the same. I always search first before posting questions.

This was already reported years ago and Woo authors admitted it was a problem that they needed to fix, and it appears they did. Now it seems it’s back. My question is why can’t I simply dismiss it?

The thing is, I am with Siteground, which is one of the top recommended Woo hosts, so I would think Woo would be able to pick up on such things and not come up with false positives. In other words, SG servers are already configured to hide the upload directory and return a 403.

Also, adding yet another plugin to fix a problem created by another one isn’t really an option. I also really want to avoid a child theme, and have been for 8 years. I don’t really want to install one for something like this.

Ok, I tried the plugin and added the code, didn’t work. I also tried adding the code manually, didn’t work either. I am on an NGINX server.

Right, what did work was this:

function filter_woocommerce_show_admin_notice( $true, $notice ) {
    if ( $notice === 'uploads_directory_is_unprotected' )
        return false;
    // Default
    return $true;
}
add_filter( 'woocommerce_show_admin_notice', 'filter_woocommerce_show_admin_notice', 10, 2 );

which I found towards the end of the other thread you shared from 1.8 years ago.

• This reply was modified 2 years, 8 months ago by Sean.

Hi @sean-h,

We are glad to hear that the more robust snippet seems to be working. I cannot test this on your site myself as we do not have the URL.

This was already reported years ago and Woo authors admitted it was a problem that they needed to fix, and it appears they did. Now it seems it’s back. My question is why can’t I simply dismiss it?

It could be a false positive, which can be confirmed fully by your Host – it is not something that we can control fully. If it does show again it would be optimal to check with your Host to verify there are no breaches that might not be thought of or realized.

Also, adding yet another plugin to fix a problem created by another one isn’t really an option. I also really want to avoid a child theme, and have been for 8 years. I don’t really want to install one for something like this.

We only offer the Code Snippets alternative to directly placing code into your theme as a way to prevent it from being lost should the theme and/or WooCommerce update, as you most likely already know. That is the only reason we do ?? Code Snippets is a safe plugin that can hold items indefinitely, and have individual additions be turned on/off easily in the plugin settings – this gives the freedom not to pollute the theme with potentially unnecessary code, and give the option for not having a child theme.

Hope this helps!