simple solution for restricting access to (some) uploads/downloads

I’m hereby answering my own question, because i found a solution, but I’m really interested in your opinions towards it. Or maybe you have a much better solution, if so, I really would like to here about it.

Research result

My research results were:
1. get the files outside of the document root, www folder;
2. disallow any direct access to the folder containing the files;
3. let a script handle the requests to the files;
The sources for those points are – at least mostly – included in my question.

Solution

  1. I installed the plugin »wp-downloadmanager«
    • a folder called files will be created inside wp-content in the process;
  2. I added a .htaccess file to the new files folder:
    • content of the .htaccess:
      Options All -Indexes
      Order Deny,Allow
      Deny from all
  3. I changed one important option of the plugin:
    • the option I mean is download method;
    • I changed it to output file;
  4. I added some files over the plugin interface:
    • there is a option called allowed to download;
    • which allows to restrict access based on user role/capability;
  5. I did some testing:
    • no direct access to the files – not over the addressbar or wget;
    • public downloads can be reached via their permalinks – I choose »nice permalinks: yes« and »download url: file id« on the options panel – addressbar/wget is working too;
    • protected, restricted downloads are only accessible if logged in as user with the correct role/capabilities;

Concluding thoughts

I’m thinking the solution pretty much follows the research results. Apart from placing the files outside. But restricting access to/protecting the directory and let a script handle file requests is fullfilled. The restriction of access is handled by the .htaccess and the script in this case is the plugin wp-downloadmanger.

Supplementary notes

  • it is absolutely necessary to change the download method to output file

  • and of course it is a must that the .htaccess file is in place

  • to check on the fact that the plugin takes over the role of the script take a look at wp-downloadmanger.php – about lines 207 to 227 (version 1.6.1); this is meant as complementary point to the linked information

Related Posts:

  1. Password protect some uploaded files, so only logged-in users can view them
  2. Basic File/Post restriction plugin
  3. How do I protect my uploads?
  4. How does WP media uploader create the 3 different sized images, and how can I duplicate it
  5. Protecting direct access to PDF and ZIP unless user logged in (without plugin)
  6. Saving images from Gravity Forms repeatable File Upload as post attachments [closed]
  7. What permissions does wp-content/uploads need?
  8. can not upload file .vtt on wordpress 5.0.1
  9. How to get all files inserted (but not attached) to a post
  10. What are the security reasons to disallow Microsoft Word uploads?
  11. How to protect uploads in multisite if user is not logged in?
  12. How to check if an image attachment exists before uploading
  13. File upload from front-end form (as attachment) not working
  14. File Upload Permissions
  15. Add suffix to filename of uploaded images
  16. Check if image exists before uploading with media_sideload_image()
  17. Add a YouTube or Vimeo video as a post attachment?
  18. Extend the list of MIME-types supported by the builtin uploader in 3.3
  19. How can I save the original filename to the database?
  20. ACF attachment custom field in rest response
  21. How to solve: An error occured in the upload
  22. How to safely allow user upload on CPTs?
  23. Images not being generated at correct size
  24. How to manage a big collection of files with wordpress?
  25. Use the WP media uploader dialog for uploading a form attachment (non-admin). Offering progress and drag and drop feedback
  26. Protecting uploads not working
  27. making media URL secured
  28. Is it safe to allow non-admin users access to media uploader
  29. Rename attachment filenames to attachment ID on upload
  30. What is the way to add additional fields to attachments in 3.5+?
  31. How to edit attachment with media-upload.php?
  32. Upload iPhone video clips to blog via native WP app
  33. How to load attachment in media library for current user?
  34. How does WordPress decides how many sizes of an image to create?
  35. Is it safe to upload JSON files to upload folder?
  36. Setting up a HIPAA secured form / file upload
  37. Upload and attach to a post multiple image files [closed]
  38. wp_generate_attachment_metadata for non-images files
  39. How to add filetype to meta value when using wp_upload_bits?
  40. Insert attachments from custom uploader into post (regular uploader style)
  41. PDF Upload from Input Error
  42. Do custom post type (CPT) attachments/media store the parent post ID?
  43. Limit users to specific uploads
  44. Using unzip_file() to get contents of file
  45. Where to store sensitive uploaded file?
  46. What is wrong with my wp_insert_attachment code?
  47. Adding attachment custom field metadata to TinyMCE tag
  48. Updating the attachment from front end doesn’t show the new change
  49. Set attachment category from file name on upload
  50. “Could not write file” error in wp_upload_bits function
  51. _d_improd_ directory in uploads breaking site images
  52. Check if author or uploader id of the attachment(uploaded) image is match?
  53. Limit attachment caption characters
  54. WP upload/select image , isn’t this a security issue?
  55. limit the access to uploaded files
  56. What is the best way to upload a temporary & sensitive file and then delete it when done
  57. controlling whether upload is attached to post or not
  58. How to force attachment size for every post
  59. Attachment Metadata not updated while uploading audio files
  60. Upload file to front-end form and send as email attachment
  61. Limit number of uploaded attachments of specific context
  62. How do I update attachment urls after changing site domain
  63. Auto shortlink for file uploads
  64. How to parse an image that was just uploaded to make sure it doesn’t contain malicious code?
  65. How to properly move media files and update data?
  66. How to add a custom field to the media screen (image/gallery)?
  67. Large Uploads in WordPress
  68. How to prevent upload of a multiple sizes of images
  69. Convert uploaded PNG to JPEG automatically
  70. Incremental number handling on duplicate file names
  71. How to upload all media to one folder, with no year/month subfolders
  72. upload files dynamically to user folders
  73. How to delete uploads not in media library?
  74. How to decrease the file size upload limit?
  75. Site icons with alpha channel for self-hosted WordPress blog network
  76. Using subdomain to upload media/images etc on 2 different blogs
  77. Can I upload a file to the site so that it is not accessible via an HTML page?
  78. How to implement secure frontend image upload? [closed]
  79. wp_handle_upload: get custom checkbox value from media uploader
  80. Edit User Profile From Front End
  81. How can I upload to wp media library by foundation zurb ajax
  82. HTTP Error When Uploading Images with HTTPS?
  83. Saving file to disk receiving fopen error
  84. Error when upload images larger than 1024px [closed]
  85. uploaded images not going to /uploads folder
  86. Setting image upload absolute path?
  87. limit media upload to once a day
  88. How to download files to WordPress?
  89. How to detect when a file has been uploaded?
  90. WP_Query: attachment image in “full” size?
  91. Removing extra large generated images disables all crops
  92. How to Protect Uploads, if User is not Logged In?
  93. wp_delete_attachment doesn’t delete image files / doesn’t work
  94. Bulk upload images in upload folder does not show in media library
  95. WordPress media upload multiple images
  96. Media Upload Directory to MMYY instead of YYYY/MM
  97. Is there a way to force Featured image to show as attachement?
  98. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  99. Problems with defining UPLOADS constant
  100. Is it possible to restrict the number of media uploads (photos) per user?

Leave a Comment