File Security

What happens to the files when using the Forced download method?

We’re about to release an update that should resolve the issues with the Symlink file downloads. Would you be interested in trying that version?

Hi Pippin,
I’ll try anything to fix this problem! I am interested to try your version that fixes the Symlink files.
When I select the Forced download method the files cannot be accessed/stolen by entering the direct address into the browser, when the Forced setting is saved it sets that command in the htaccess file to prevent it.
However, all download links fail and any new links created also fail. The browser says the file cannot be found, it may have moved or have capitalization error. I just took it that my server probably does not support the Forced method.
Pippin, I am only a novice at this stuff but I have really tried to solve it by researching all your documents and forums. Please carefully explain any answers you have so that a novice like me can understand, please!!

Here’s a direct download link to the beta version: https://github.com/easydigitaldownloads/Easy-Digital-Downloads/archive/2.5.10-beta.zip

Let me know if you’re unsure of how to install the beta (it’s installed like any other plugin).

Pippin, just to be certain, do I uninstall EDD that I have now, then install this version that I just downloaded?
Also do I:
1. Place all my files I want protected into the file named “symlinks”. 2. Tick the box named “Symlink File Downloads?” located at Downloads>Settings>Misc? (save it)
3. I will have to make Media Library aware of the files being moved? (The download posts I created will no longer be able to locate the files, as the URL’s recorded in Media Library will change) I use the plug-in “Add from server” as most of my files are already on the server and are too large to upload through add media. This will mean reloading all files again, and finally removing the Media Library records that refer to the old file location.
All this will protect my files in the end, and do you think the plug-in will still work as it does now?

First delete the existing version of Easy Digital Downloads then install the new version I sent you.

1. Do not change the location of any files.

2. In the Misc > File Downloads tab, set the method to Redirect and check the box for Symlinks.

3. Note: only files placed in wp-content/uploads/edd/ will be protected. Files in the regular media library cannot be protected.

Okay Pippin, you make it sound easy! I’ll give it a try over Easter and let you know how it works out.
Thanks for your replies!

Pippin, I had a bit of time just now so I gave it a try.
Sad to inform you the solution has failed.
Here is what I did:
1. Deactivated and Deleted EDD Plug-in.
2. Installed the EDD plug-in received from you yesterday. Activated it.
3. Went to Settings>Misc>Downloads and ticked the Symlink box.
4. Saved settings.
5. Attempted to access a file located here: https://mysite.com/wp-content/uploads/edd/2016/03/example.pdf
6. File was immediately downloaded.
7. Copied a file to https://mysite.com/wp-content/uploads/symlinks/ (Two files were created with this copy, one identical and another named: example_13347f2fbc4897815.pdf / (file is much smaller))
8. Attempted to access these files in symlinks folder through the browser.
9. Files were immediately downloaded.
10. Rechecked all settings – all okay.
11. Tried to “save” at Settings>Misc to see if had any effect. – None.
12. Uploaded “Pluginception Plug-in”
13. Created a blank Plug-in named “EDD file protector”.
14 Added this code into the blank plug-in:

<?php
function edd_custom_modify_htaccess_rules( $rules, $method ) {

	switch( $method ) :
		case 'redirect' :
			// Prevent directory browsing
			$rules = "Options -Indexes";
			break;
		case 'direct' :
		default :
			// Prevent directory browsing and direct access to all files, except images (they must be allowed for featured images / thumbnails)
			$rules = "Options -Indexes\n";
			$rules .= "deny from all\n";
			$rules .= "<FilesMatch '\.(jpg|png|gif|ogg)$'>\n";
			    $rules .= "Order Allow,Deny\n";
			    $rules .= "Allow from all\n";
			$rules .= "</FilesMatch>\n";
			break;
	endswitch;
	return $rules;
}
add_filter( 'edd_protected_directory_htaccess_rules', 'edd_custom_modify_htaccess_rules', 10, 2 );

/*
Plugin Name: EDD file protector
Plugin URI:
Description:
Version:
Author:
Author URI:
License:
License URI:
*/

15. Tested access to all files named above. Instant download of all files was allowed.

Just to note, nothing is added to the htaccess file located in the EDD folder. It only reads as: Options -Indexes

Any suggestions Pippin?

There’s a bit of misunderstanding about how the Redirect method works.

When Redirect is enabled, files are not protected from direct access. They are protected through obscurity. The idea of redirects with symlinks is that the real location of the file is never revealed to a customer, but if a customer were to know the exact URL (as you as a site administrator do), they could access it. Because of the way that file downloads through redirection work, it’s not possible to fully block direct access to the files.

With the new beta version, the Forced file download method should work. Can you tell me if it works properly when using Forced?

Pippin, you have provided the solution!
The Forced method does work with the new beta version.
The files are completely protected by the htaccess command it creates.
Will the Forced method be able to handle large zipped files being downloaded, up to about 300MB?
I read in your documents that there may be a problem downloading larger files with the Forced method, or is this sorted out in your new beta version?

Excellent!

Large files should work just fine, though sometimes the reliability of large file downloads can be dependent on your server configuration. If you are using a low end server, such as from a cheap web host, large files will be less reliable. If you are using a high end server from a really good webhost, large files shouldn’t be a problem.

If you do find that large files are unreliable, two good alternatives are to use Amazon S3 or Dropbox to deliver them:

https://easydigitaldownloads.com/downloads/amazon-s3/
https://easydigitaldownloads.com/downloads/dropbox-file-store/

Thanks for all your assistance Pippin.
I have made a donation to your site to show some appreciation!
I will mark this as resolved.

Happy to help and thank you!