I have a private wordpress website which is made 'private' with a plugin. Now it asks users to enter a password to view the site. However, if someone has the full link to files that are uploaded on the site, they can download them without any authentication. I managed to prevent a directory listing with .htaccess but files can still be downloaded. Is there a way to prevent downloads unless the user is logged in? Perhaps with .htaccess itself?
Related
Good day, im a freelance developer and quick question is how do i hide or disable a client from seeing wp content wp config files of WordPress, they supplied me with cPanel logins and have sensitive files i don't want touched or viewed. Thanks
First of all, very important to know you that WordPress Administrator can able to see the wp_content, wp_config files and so on (if you have no restriction from your host). Why not there are some plugins (ex: Wp File Manager) to direct access on this kind of files.
To prevent it you can change the role Administrator to Editor or you can restricted the file permission from server.
Thank you
I am trying to delete a specific URL for a website and cannot seem to locate the file in FTP. There is no public_html folder for the site when I FTP in. Does someone know where I might be able to access the pages?
Remove it via your WP admin login? Not via FTP?
By "URL" do you mean removing one of the webpages? Because you have to do that via your wordpress panel you can't do that by FTP (you can do it via the database tho I believe)
Wordpress is a cms system. You would need to log into the portal. http://yourdomainname.com/wp-admin. There is no actual pages. They are all theme files inside your wordpress theme folder. (httpdocs/wp-content/themes/your-theme-name/page.php. Though I don't think the url would be there.)
I am unable to upload image in WordPress.
Error comes out like this:
"Unable to create directory wp-content/uploads/2014/04. Is its parent directory writable by the server? "
How can i change writable permission so that i can upload images properly through word press.
On some installations of WordPress, when I try to download a new theme or plugin or even update an existing plugin, I get the following message:
"To perform the requested action, WordPress needs to access your web server. Please enter your FTP credentials to proceed. If you do not remember your credentials, you should contact your web host."
How can I remove these protection so that I can upload and delete plugins, themes, images without any FTP credentials?
You must access the control panel of your account at your hosting company. Look for File Manager and change the permissions of folder /wp-content/plugins and wp-content/uploads to 755, include sub-folders!
I don't know a lot about .htaccess.
I have a web with Wordpress and I made a part private only for subscribers. I have installed a couple of Wordpress plugins to control the access to that page. The problem is that the "private" page links to a folder where I have a lot of .html pages. That is the folder I want to protect. I have used the http_refered in the .htaccess but I know it is very easy to hack it.
Is there any way to write in the .htaccess file a command that check the Wordpress user file and see if the user belongs to the "suscriber" group?
I suggest to protect the private page with password (this is common feature in Wordpress) and do not mess with the .htaccess file.
Anyhow, the is no way to tell the Apache (because the .htaccess is applied from it) that this or that user is registered or approved user. This can be done on different level - PHP and/or Wordpress logic.
I am trying to upload a new theme to my WordPress site
I get an error "Can not create directory"
Im sure its permissions errors however I cannot figure out what to do.
I have setup a new server (CentOS), I have all the ports open needed for FTP.
I can ftp from a different location through telnet.
My ftp user has full permissions to the directory.
How can i fix this?
From the File Permissions section of Hardening WordPress:
All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process.
/
The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.
/wp-admin/
The WordPress administration area: all files should be writable only by your user account.
/wp-includes/
The bulk of WordPress application logic: all files should be writable only by your user account.
/wp-content/
User-supplied content: intended to be writable by your user account and the web server process.
Within /wp-content/ you will find:
/wp-content/themes/
Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.
/wp-content/plugins/
Plugin files: all files should be writable only by your user account.
You wouldn't go wrong by reading the entire Hardening WordPress page, really.