/woocommerce_uploads/ downloadable path bug?

Hi there,

I’ve tested this with the latest version of WooCommerce. Both the path for the file upload is correct as /woocommerce_uploads/ and it also works for downloads after the purchase is completed.

What specifically occurs on your orders when a file is uploaded as described and the purchased are completed? Is the download link not present or are you getting an error? If you can outline the exact steps to reproduce and the error you’re receiving that can help. Also, could you please share a copy of your site’s System Status? You can find it via WooCommerce > Status.
Select “Get system report” and then “Copy for support”.? Once you’ve done that, paste it here in your response.

Hi Kenin,
I’m getting a blank image in my Media thumbnails and also in the Product Page. The thumbnail shows in the Product-Category page but when you click on the thumbnail for the Product page, the image is gone unless you hover your mouse over the image. I pasted the Support Status stuff below, and here’s a link to a 3 minute video of the problem occurring too.
https://1drv.ms/v/s!AvUdNKllJ7tti_JmtLjMwvTs90wWfQ

Thanks a lot for looking into this. I most certainly appreciate your time!
~ Frank

### WordPress Environment ###

Home URL: https://frankbiganski.com
Site URL: https://frankbiganski.com
WC Version: 3.5.2
Log Directory Writable: ?
WP Version: 5.0.1
WP Multisite: –
WP Memory Limit: 1 GB
WP Debug Mode: –
WP Cron: ?
Language: en_US
External object cache: –

### Server Environment ###

Server Info: Apache/2.4.10 (Debian)
PHP Version: 7.2.9-1+0~20180910100423.5+jessie~1.gbpdaac35
PHP Post Max Size: 1,000 MB
PHP Time Limit: 6000
PHP Max Input Vars: 2500
cURL Version: 7.38.0
OpenSSL/1.0.1t

SUHOSIN Installed: –
MySQL Version: 5.6.41-84.1
Max Upload Size: 1,000 MB
Default Timezone is UTC: ?
fsockopen/cURL: ?
SoapClient: ?
DOMDocument: ?
GZip: ?
Multibyte String: ?
Remote Post: ?
Remote Get: ?

### Database ###

WC Database Version: 3.5.2
WC Database Prefix: wp_
MaxMind GeoIP Database: ?
Total Database Size: 10.63MB
Database Data Size: 9.08MB
Database Index Size: 1.55MB
wp_woocommerce_sessions: Data: 0.02MB + Index: 0.02MB
wp_woocommerce_api_keys: Data: 0.02MB + Index: 0.03MB
wp_woocommerce_attribute_taxonomies: Data: 0.02MB + Index: 0.02MB
wp_woocommerce_downloadable_product_permissions: Data: 0.02MB + Index: 0.05MB
wp_woocommerce_order_items: Data: 0.02MB + Index: 0.02MB
wp_woocommerce_order_itemmeta: Data: 0.02MB + Index: 0.03MB
wp_woocommerce_tax_rates: Data: 0.02MB + Index: 0.06MB
wp_woocommerce_tax_rate_locations: Data: 0.02MB + Index: 0.03MB
wp_woocommerce_shipping_zones: Data: 0.02MB + Index: 0.00MB
wp_woocommerce_shipping_zone_locations: Data: 0.02MB + Index: 0.03MB
wp_woocommerce_shipping_zone_methods: Data: 0.02MB + Index: 0.00MB
wp_woocommerce_payment_tokens: Data: 0.02MB + Index: 0.02MB
wp_woocommerce_payment_tokenmeta: Data: 0.02MB + Index: 0.03MB
wp_woocommerce_log: Data: 0.02MB + Index: 0.02MB
wp_commentmeta: Data: 0.02MB + Index: 0.03MB
wp_comments: Data: 0.02MB + Index: 0.09MB
wp_links: Data: 0.02MB + Index: 0.02MB
wp_options: Data: 2.03MB + Index: 0.05MB
wp_postmeta: Data: 0.19MB + Index: 0.11MB
wp_posts: Data: 0.17MB + Index: 0.06MB
wp_revslider_css: Data: 0.13MB + Index: 0.00MB
wp_revslider_layer_animations: Data: 0.02MB + Index: 0.00MB
wp_revslider_navigations: Data: 0.02MB + Index: 0.00MB
wp_revslider_sliders: Data: 0.02MB + Index: 0.00MB
wp_revslider_slides: Data: 0.02MB + Index: 0.00MB
wp_revslider_static_slides: Data: 0.02MB + Index: 0.00MB
wp_termmeta: Data: 0.02MB + Index: 0.03MB
wp_terms: Data: 0.02MB + Index: 0.03MB
wp_term_relationships: Data: 0.02MB + Index: 0.02MB
wp_term_taxonomy: Data: 0.02MB + Index: 0.03MB
wp_usermeta: Data: 0.02MB + Index: 0.03MB
wp_users: Data: 0.02MB + Index: 0.05MB
wp_wc_download_log: Data: 0.02MB + Index: 0.03MB
wp_wc_webhooks: Data: 0.02MB + Index: 0.02MB
wp_wfblockediplog: Data: 0.02MB + Index: 0.00MB
wp_wfblocks7: Data: 0.02MB + Index: 0.05MB
wp_wfconfig: Data: 0.41MB + Index: 0.00MB
wp_wfcrawlers: Data: 0.02MB + Index: 0.00MB
wp_wffilechanges: Data: 0.02MB + Index: 0.00MB
wp_wffilemods: Data: 2.52MB + Index: 0.00MB
wp_wfhits: Data: 1.02MB + Index: 0.19MB
wp_wfhoover: Data: 0.02MB + Index: 0.02MB
wp_wfissues: Data: 0.02MB + Index: 0.06MB
wp_wfknownfilelist: Data: 1.52MB + Index: 0.00MB
wp_wflivetraffichuman: Data: 0.02MB + Index: 0.02MB
wp_wflocs: Data: 0.02MB + Index: 0.00MB
wp_wflogins: Data: 0.06MB + Index: 0.03MB
wp_wfnotifications: Data: 0.02MB + Index: 0.00MB
wp_wfpendingissues: Data: 0.02MB + Index: 0.06MB
wp_wfreversecache: Data: 0.02MB + Index: 0.00MB
wp_wfsnipcache: Data: 0.02MB + Index: 0.05MB
wp_wfstatus: Data: 0.13MB + Index: 0.09MB
wp_wftrafficrates: Data: 0.02MB + Index: 0.00MB
wp_yoast_seo_links: Data: 0.02MB + Index: 0.02MB
wp_yoast_seo_meta: Data: 0.02MB + Index: 0.00MB

### Post Type Counts ###

attachment: 50
custom_css: 1
customize_changeset: 34
nav_menu_item: 4
page: 7
post: 1
product: 14
revision: 124
shop_order: 2
wpcf7_contact_form: 1

### Security ###

Secure connection (HTTPS): ?
Hide errors from visitors: ?

### Active Plugins (9) ###

Breeze: by Cloudways – 1.0.10
Contact Form 7: by Takayuki Miyoshi – 5.1.1
Google Analytics Dashboard for WP (GADWP): by ExactMetrics – 5.3.7
WPBakery Page Builder: by Michael M - WPBakery.com – 5.6
Regenerate Thumbnails: by Alex Mills (Viper007Bond) – 3.0.2
Slider Revolution: by ThemePunch – 5.4.7
WooCommerce Menu Cart: by Jeremiah Prummer
Ewout Fernhout – 2.7.3

WooCommerce: by Automattic – 3.5.2
Yoast SEO: by Team Yoast – 9.3

### Settings ###

API Enabled: ?
Force SSL: –
Currency: USD ($)
Currency Position: left
Thousand Separator: ,
Decimal Separator: .
Number of Decimals: 2
Taxonomies: Product Types: external (external)
grouped (grouped)
simple (simple)
variable (variable)

Taxonomies: Product Visibility: exclude-from-catalog (exclude-from-catalog)
exclude-from-search (exclude-from-search)
featured (featured)
outofstock (outofstock)
rated-1 (rated-1)
rated-2 (rated-2)
rated-3 (rated-3)
rated-4 (rated-4)
rated-5 (rated-5)

### WC Pages ###

Shop base: #87 - /images-for-sale/
Cart: #122 - /shopping-cart/
Checkout: #127 - /checkout/
My account: #130 - /my-account/
Terms and conditions: #134 - /terms-conditions/

### Theme ###

Name: Total
Version: 4.7.1
Author URL: https://themeforest.net/user/wpexplorer
Child Theme: ? – If you are modifying WooCommerce on a parent theme that you did not build personally we recommend using a child theme. See: How to create a child theme
WooCommerce Support: ?

### Templates ###

Archive Template: Your theme has a woocommerce.php file
you will not be able to override the woocommerce/archive-product.php custom template since woocommerce.php has priority over archive-product.php. This is intended to prevent display issues.

Overrides: Total/woocommerce/archive-product.php
Total/woocommerce/loop/loop-start.php
Total/woocommerce/loop/pagination.php
Total/woocommerce/single-product/add-to-cart/variable.php
Total/woocommerce/single-product/rating.php
Total/woocommerce/single-product/title.php

@frankbiganski I just did some testing in my own store, and the files should be going to the woocommerce_uploads folder. That part is correct.

When they are uploaded there, they do not get the same thumbnails generated as when they are uploaded through the Media Library, which explains why they do not have thumbnails for the Media Library. This part may be something that changed with WordPress 5.x that WooCommerce may need to look into, but this actually seems correct to me.

As for directly linking to the images/files, this should not be possible if Force Downloads or X-Accel-Redirect/X-Sendfile are chosen for the File Download Method in WooCommerce > Settings > Products > Downloadable Products. There should be a .htaccess file present that blocks anyone from accessing the folder, sub-folders and files directly. Check to see if this is present either via FTP or via your cPanel. If it is not, it should be created when you go to the settings page mentioned before and save.

If the file is present and you are still able to get directly to the files, you will need to consult your host on how to reject access to the folder.

Thanks for your reply Jesse! I tried placing/uploading images in both the woocommerce_uploads folder and the media folder, and both are not protected. That is, if someone knows the URL to my larger images, they can directly access the larger image and download it without paying for it. And when the mouse is hovered over the product page image, one could click on it and the actual larger 5,000 x 3000 pixel image would be downloadable.

I have “Force Downloads” checked and I also have “Downloads require login” too. The file permissions are set to 755 and Cloudways denies me to change that.

When looking at my .htaccess file, aside from everything else in that file, I did notice this was all I saw regarding WC.

# BEGIN wccp_image_protection
# END wccp_image_protection

# BEGIN wccp_pro_image_protection
# END wccp_pro_image_protection

There obviously doesn’t appear to be anything written inside, correct? Maybe that’ the problem?

I also came across another post where a guy was having the same trouble 9 months ago, so that makes me feel it a design flaw and not an upgrade issue. But it appears his question went unsolved or the replies implied the system is working as it’s designed to. https://bit.ly/2QIIJhU

I also came across a tip to create a folder/directory outside of the public_html folder, but my hosting provider won’t let me do that. But I came across another post where someone didn’t like the magnifier appearing when they hovered their mouse over the image and allowing the visitor to click on the image causing the larger image to appear. This allows the visitor to see the 500×300 pixel image on the product page, but it won’t allow access to the larger downloadable image. Although I prefer the visitor is able to preview a larger image if using a tablet or laptop, this will work for now (unless some code can be added to the .htaccess that will do the trick).

.woocommerce div.product .images, .woocommerce-page div.product .images {
pointer-events: none !important;
}

I’m not familiar with what X-Accel-Redirect/X-Sendfile is, so I’ll research that to see if that can help. And I’m not sure if using Cloudflare is affecting or causing this either, so I’ll have to pause Cloudflare to see if that does anything.

But I sincerely appreciate everyone’s replies. I know there’s a solution to keep digital downloads protected, but it sure it difficult finding that solution (at least for this novice – I’m likely not using the correct search terms either ??

Happy Holidays!

Frank

@frankbiganski Sorry for the confusion, there should be a .htaccess file in the /woocommerce_uploads/ folder itself, and that file should only have a single line in it that says deny from all. If this isn’t working to block all access to all folders and files in /woocommerce_uploads/, then you would need to contact your host.

Concerning thumbnails and linking to the larger versions, you should have two versions of the image uploaded. One that is for your customers to download, and that is uploaded through the Add File section under the downloadable product. The other version should be a scaled down version, possibly covered in watermarks, that is used for an example for the customer to view. This smaller version would be the one that all thumbnails are generated from for the product page, galleries, etc.

Hi Jesse,

Thanks for you input Jesse as it’s definitively getting me closer to resolving this! There is an .htaccess file stating “deny from all,” and there’s also an index.html file within the WC uploads folder.

Access is denied at the folder level, but anything within the folder is accessible.

My hosting provider Cloudways said “This jpg format serve from nginx config that’s why it’s not deny[ing] from htaccess file.”

So now on to searching the interweb to see what that means, as my tech wouldn’t elaborate.

Maybe it has to do with my original installation too, with my host as when I create a new WordPress “application” (website) with Cloudways, they provide the option of creating a WooCommerce WordPress site or just a regular WordPress site.

When I created this site, I didn’t think I would be selling images so I only installed the basic WordPress install and installed Woo myself. Maybe with Cloudways, I have to let them install the WC at the initial WordPress install.

But haven’t gotten that far into building the site, so I’ll create a new application and start from scratch to see if that corrects the problem?

Thanks again!

Frank

@frankbiganski I wouldn’t go as far as starting over, the issue is just the software on the server allowing access to the files when it shouldn’t be. .htaccess files are for Apache, one web server software, and you are on nginx, a different one.

Here is what seems to be an explanation of what needs to be done for you on your server:
https://unix.stackexchange.com/questions/363346/block-access-to-a-file-or-location-on-nginx

I don’t fully understand server configuration myself, but the techs at your host should be able to assist you in denying access to the folder and files under it with this info.

Thanks again @jessepearson for all of your time. In communicating with the theme developer for my WordPress theme (WPExplorer), he suggested I consider implementing Amazon S3 web services to deliver my digital content as it does seem to be an easy and affordable solution for the novice in me. My head is spinning with all this info, so time to take it all in over a few days. Thanks again so much and Happy Holidays!

Hi there,

If you want to use Amazon S3 that would be a more robust solution for sure. You can use the Amazon to add in support for S3 here: https://woocommerce.com/products/amazon-s3-storage/

Happy Holidays!

The Amazon service is great and robust for sure, but it’s definitely an overkill for my needs as I really don’t anticipate so many online visitors and purchases within the first few years that would warrant spending the money or the time to learn this. Even though AWS offers the first year free, I just don’t want to go this far into setting up the AWS buckets and learning something this involved.

I’m now leaning towards a plugin from preventdirectaccess.com. It’s a little costly if outright purchased (about $270 outright or about $85 a year), but it’s a lot more plug-n-play friendly for my level of experience.

I am going to contact my host to see if they can add some code on the back end server, as Jesse’s link to stackexchange got me researching this “nginx content protection issue” some more, and content protection where nginx is involved is definitely an issue or problem.

I guess I’m just surprised that no one has created a work-around for this, especially since nginx is open source.

Anyway, thanks again for your replies and have a Happy New Year!

~ Frank

@frankbiganski Glad we got you down the right path. I am going to set this thread as resolved for now. Feel free to open a new one if needed.