File Security

Viewing 5 replies - 1 through 5 (of 5 total)
  • Barry Kooij

    (@barrykooij)

    Hey,

    Not if you make your download Members Only. The plugin will check upon download request if the user is logged in.

    Kind Regards,

    Barry Kooij

    Thread Starter bobjgarrett

    (@bobjgarrett)

    But if they know (or can guess the URL) then they don’t need to be logged in they could simply use the URL independent of WordPress?

    Barry Kooij

    (@barrykooij)

    No, the URL the plugin generates (the /download/ID/ one) will check if the user is logged in before it starts the download.

    Thread Starter bobjgarrett

    (@bobjgarrett)

    I may still be missing something here but if the file URL is clear then guesses can be made for other similar URLs and these loaded directly.
    So someone seeing https://www.xyz.com/wp-content/uploads/dlm_uploads/2015-plans.pdf may guess that https://www.xyz.com/wp-content/uploads/dlm_uploads/2016-plans.pdf would be worth loading.
    I thought that hiding these was the purpose of the hashing options but these also leave the URL of the file as clear text.

    People should never be able to see the /dlm_uploads URL as you should link to /download/ID. If you have Redirect to File enabled at the download, disable it as this is only something you want to enable in very specific cases.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘File Security’ is closed to new replies.