directory security
-
I’m trying to secure my downloads directory with htaccess using RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
but when downloading with filewawy i get access denyed. direct linking to file path outside of fileaway output work as expected.
-
More info please
Thanks for your quick response by email — but not sure why it came to me, as this is not my question!!
I posted a question after “directory security” — it is titled “Shortcode not producing files on page”.
Im using fileaway to list a directory with secured documents. As i do not want anyone to have direct access to files in this directory without being logged in. I wanted some extra security to disallow anyone who doesnt have nor is logged in wordpress to be able to get files..
Adding .htaccess to directory
# These next two lines will already exist in your .htaccess file
RewriteEngine On
RewriteBase /
# Add these lines right after the preceding two
RewriteCond %{REQUEST_FILENAME} ^.*(doc|docx)$
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule . – [R=403,L]
works except with fileaway plugin..
If direct link to file without being logged in wordpress download is denyed
If direct link to file after loggin in wordpress file downloads as expected..
BUT if try to download file with link generated with fileaway .htaccess is ignored and is always denyed access to download fileMore info about your File Away setup. Are stats enabled or disabled. What does your shortcode look like.
without adding .htaccess to directory the only security files have is to make sure “Options +Indexes” is turned off, but if direct path is known file is basically public available
Where is this htaccess file located?
You know you can enable encrypted links in File Away, right? You just don’t want to use that feature?
root directory: wp install directory
base directory 1: /public_html/secure-content/
base url: genjitech.com (HTTPS)
———-
Statistics are disabled
—————-
[Shortcode]
[fileaway type=”table” showto=”administrator,insurance_company,safety_director” search=”yes” searchlabel=”Filter Data Below” mod=”no” redirect=”true” recursive=”on” only=”Accident-Safety” theme=”silver-bullet” heading=”Accident-Reports” hcolor=”blue” color=”blue” iconcolor=”blue”]enable encrypted links is fine and plan on enabling this, but this doesnt fix the fact that with out .htaccess on the directory there is nothing in place to keep someone from just hotlinking the file as its open to the public..
even with encrypted links its not that hard to view source and get the complete path.htaccess
tried in the /public_html/secure-content
tried /public_html {modifying the main wordpress .htaccess}
both yields same resultsI can’t reproduce anything you’re describing. An htaccess file to protect files would normally go in the directory where the files are stored.
If encryption is disabled, all File Away does is put the link on the page. There’s no difference between that and just manually typing a link to the file.
Please demonstrate to me how you think it is easy to ” view source and get the complete path” with encrypted links enabled, because that’s counterintuitive to me, the plugin developer.
You can have encrypted links enabled AND use an htaccess file to secure your files and you won’t have the problem you’re describing, which I can’t reproduce anyway.
-
This reply was modified 8 years, 6 months ago by
thomstark.
ok to reproduct the problem
add .htaccess file to directory you wish to secure add
# These next two lines will already exist in your .htaccess file
RewriteEngine On
RewriteBase /
# Add these lines right after the preceding two
RewriteCond %{REQUEST_FILENAME} ^.*(doc|docx)$
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule . – [R=403,L]
visit page and click link
Apache error| your are not allow by server configuration
now load copy the link and past it directly in address bar and file downloads like magicYeah, nope. That’s what I did. I can’t reproduce your issue.
The simplest way to secure files using File Away is to do this:
[fileaway encryption=”true” type=”table” showto=”administrator,insurance_company,safety_director” search=”yes” searchlabel=”Filter Data Below” mod=”no” redirect=”true” recursive=”on” only=”Accident-Safety” theme=”silver-bullet” heading=”Accident-Reports” hcolor=”blue” color=”blue” iconcolor=”blue”]
Then in the directories where you store your files, add an .htaccess file in each directory that just has two lines:
order deny,allow
deny from allHere’s the issue:
The htaccess you are using doesn’t actually prevent direct access to the file, it just prevents downloads. Try it with a jpg and you will see. But a doc file is forced as a download by browsers.
If you use a direct link to the file (i.e., not using file away) and click on it, it will download, but if you right-mouse click and save, it will not download. Same thing in File Away except File Away tells all links to be downloaded, not opened in the browser. Opening the file in the browser actually bypasses your .htaccess file. YOU DON’T WANT THAT.
Use the solution I provided in the comment above for legitimate security.
never mind as i have found the problem. i use wpmu domain mapping and after updating fileaway i can no long choose my mapped domain as base url. even if manual set it in db options always reset back to base network site domain
site1.genjitech.com mapped as genjitech.com
genjitech.com is not available as base url only site1.genjitech.com which breaks the wp cookie..do i need to open a new thread for mapped domain not available to choose as base?
-
This reply was modified 8 years, 6 months ago by
- The topic ‘directory security’ is closed to new replies.