I have an issue with 'woocommerce upload' folder because it has a .htaccess with "Deny from all" so that no-one can access the contents of the directory through a browser.
However I want to allow access to the custom download link that woocommerce generated whenever a virtual product has been purchased. Is there a way I can allow access for a specific URL? that came from www.mydomain.com/download_file=xxx&email=&key=xxx?
Thank you!
Related
Good day, im a freelance developer and quick question is how do i hide or disable a client from seeing wp content wp config files of WordPress, they supplied me with cPanel logins and have sensitive files i don't want touched or viewed. Thanks
First of all, very important to know you that WordPress Administrator can able to see the wp_content, wp_config files and so on (if you have no restriction from your host). Why not there are some plugins (ex: Wp File Manager) to direct access on this kind of files.
To prevent it you can change the role Administrator to Editor or you can restricted the file permission from server.
Thank you
I don't know a lot about .htaccess.
I have a web with Wordpress and I made a part private only for subscribers. I have installed a couple of Wordpress plugins to control the access to that page. The problem is that the "private" page links to a folder where I have a lot of .html pages. That is the folder I want to protect. I have used the http_refered in the .htaccess but I know it is very easy to hack it.
Is there any way to write in the .htaccess file a command that check the Wordpress user file and see if the user belongs to the "suscriber" group?
I suggest to protect the private page with password (this is common feature in Wordpress) and do not mess with the .htaccess file.
Anyhow, the is no way to tell the Apache (because the .htaccess is applied from it) that this or that user is registered or approved user. This can be done on different level - PHP and/or Wordpress logic.
I have a private wordpress website which is made 'private' with a plugin. Now it asks users to enter a password to view the site. However, if someone has the full link to files that are uploaded on the site, they can download them without any authentication. I managed to prevent a directory listing with .htaccess but files can still be downloaded. Is there a way to prevent downloads unless the user is logged in? Perhaps with .htaccess itself?
Im using Contact Form 7 plugin in order to upload files to my server (images,pdf's..)
The plugin creates a folder inside wp-content/uploads/wpcf7_uploads , there i have all my uploaded files. My problem is that i cant direct access them from my browser like:
mysite.com/wp-content/uploads/wpcf7_uploads/myImage.jpg .
It seems that is an .htaccess problem,
tryed to put a .htaccess file in the wpcf7_uploads folder whith this:
Order allow,deny
Allow from all
but no luck.
Thank you
Contact form 7 only temporarily stores files and removes them once they have been e-mailed to the recipient(s).
You will need to hook into a CF7 action and handle the this process in a different way to store it on the server.
Try this link
http://wordpress.org/support/topic/plugin-contact-form-7-leave-file-upload-on-server
I have site based on Wordpress. Only logged user can see posts, sites, and files (I use s2member plugin).
I have problem with disabling access to files for unlogged user.
I upload files, attach it to post. Only logged user can see post and attachements.
The problem is that unlogged user can download files directly (e.g. http://my-site.pl/files/secret_file.pdf).
How can I prevent this, some plugin, .htaccess?
My site is on shared hosting i have access only via ftp.
There are potential solutions, but none stands out in practice -- each has its own set of thorns.
There are commercial plugins that implement access restriction on part or all of your WP site. Some allow to restrict files, some don't. Amember is one of the more established players in that arena. (I cannot recommend their offer, however. Amongst other problems I ran into, it didn't play well on a multi-server setup.) There probably are some free plugins that do the same since I last checked.
If you decide to code something yourself, there are multitudes of options. Three of them include:
Serving the file using php instead of Apache, and requiring the user to be logged in before serving the file. It works. And it's relatively easy to set up if you decide to be sloppy. It's not so easy if you want to set it up correctly: think partial files that need to be resumed, etc.
Conditionally serving the file using Apache. In essence, you create a user-specific file in a token folder, and you store the name of that file as a cookie when the user log in. Then, have Apache rewrite rules deny access if the corresponding file isn't present in the token folder. This is not easy to set up
Not restricting files at all and leaving things the way they are at the moment: a link to a publicly available file that only members can see. The rational here is that no matter how well you restrict access to your pdf, it'll end up on a torrent site or a download site somewhere if a disgruntled user decides to share it.
Use this in .htacces. this allow user to download or view only .gif, .jpg,.jpeg,.png and .bmp files.
if you don't want to allow this then remove the line "Allow from env=let_me_in"
I hope this will work.
# BEGIN WordPress
<IfModule mod_rewrite.c>
# If the URI is an image then we allow accesses
SetEnvIfNoCase Request_URI "\.(gif|jpe?g|png|bmp)$" let_me_in
Order Deny,Allow
Deny from All
# Allow accesses only if an images was requested
Allow from env=let_me_in
</IfModule>
# END WordPress