Secure uploaded files in Wordpress - wordpress

I have site based on Wordpress. Only logged user can see posts, sites, and files (I use s2member plugin).
I have problem with disabling access to files for unlogged user.
I upload files, attach it to post. Only logged user can see post and attachements.
The problem is that unlogged user can download files directly (e.g. http://my-site.pl/files/secret_file.pdf).
How can I prevent this, some plugin, .htaccess?
My site is on shared hosting i have access only via ftp.

There are potential solutions, but none stands out in practice -- each has its own set of thorns.
There are commercial plugins that implement access restriction on part or all of your WP site. Some allow to restrict files, some don't. Amember is one of the more established players in that arena. (I cannot recommend their offer, however. Amongst other problems I ran into, it didn't play well on a multi-server setup.) There probably are some free plugins that do the same since I last checked.
If you decide to code something yourself, there are multitudes of options. Three of them include:
Serving the file using php instead of Apache, and requiring the user to be logged in before serving the file. It works. And it's relatively easy to set up if you decide to be sloppy. It's not so easy if you want to set it up correctly: think partial files that need to be resumed, etc.
Conditionally serving the file using Apache. In essence, you create a user-specific file in a token folder, and you store the name of that file as a cookie when the user log in. Then, have Apache rewrite rules deny access if the corresponding file isn't present in the token folder. This is not easy to set up
Not restricting files at all and leaving things the way they are at the moment: a link to a publicly available file that only members can see. The rational here is that no matter how well you restrict access to your pdf, it'll end up on a torrent site or a download site somewhere if a disgruntled user decides to share it.

Use this in .htacces. this allow user to download or view only .gif, .jpg,.jpeg,.png and .bmp files.
if you don't want to allow this then remove the line "Allow from env=let_me_in"
I hope this will work.
# BEGIN WordPress
<IfModule mod_rewrite.c>
# If the URI is an image then we allow accesses
SetEnvIfNoCase Request_URI "\.(gif|jpe?g|png|bmp)$" let_me_in
Order Deny,Allow
Deny from All
# Allow accesses only if an images was requested
Allow from env=let_me_in
</IfModule>
# END WordPress

Related

protect wordpress uploaded files access from non-logged-in users?

I have launched a WordPress site for a private group of people. This site serves as a public representational site, but also they make "posts" with "Private" checked, so only logged in users can see those posts. Everything would be OK, but they also upload image/document files and attach/include them to private or public posts. All is OK with public posts, but when the file is used in a private post, we assume the file is confidential. But here WordPress allows accessing any uploaded file directly via a link (URL), even if you're not logged in to the site from the browser.
I tried searching but can't find something that would actually work. Even FB private groups have this file access restriction for outsiders, GitLab also has permissions, where if you are not in a project, you can't access ANYTHING that's there. It seems like if I used WordPress/Joomla/Drupal, it would be hacking/messing around to achieve what I want.
Do you have any suggestions, maybe to access uploaded files through WordPress (PHP) and not directly via web server, so via PHP I could make some SQL queries and check in what posts that file is included and whether the user is logged in? Also maybe there are some plugins that do exactly that?
P.S. I wouldn't be asking if I knew WordPress in-and-out, but in this case, I just launched it more or less.
One option to fix this problem is to store the file contents in the database as a blob. This could be problematic if the files are large, however, as you predicted: you can ensure that the recipient is authorised before delivering the content. Another option might be to move the file when the post is saved so that it can't be accessed directly at the http endpoint.
In either of these cases, you might then use .htaccess to redirect any GET requests for files within that directory to a new php file that delivers the content. You can check to see if the user is logged in before delivery using standard WordPress function, and/ or pull the content out of the database on the fly. These options require custom code to achieve.
(Is the file being checked for malign content, and the filename being changed to something non-deterministic, by the way? This is a vector for attack.)
If you don't wish to code, you might consider a parallel installation of ownCloud or NextCloud and then in the private post, your users place a link to the file within the other service. Both of these applications provide a number of different clients for various devices, as well as the ability to restrict access to specific groups and users.

Only a wordpress group of user can access to a folder using .htaccess

I don't know a lot about .htaccess.
I have a web with Wordpress and I made a part private only for subscribers. I have installed a couple of Wordpress plugins to control the access to that page. The problem is that the "private" page links to a folder where I have a lot of .html pages. That is the folder I want to protect. I have used the http_refered in the .htaccess but I know it is very easy to hack it.
Is there any way to write in the .htaccess file a command that check the Wordpress user file and see if the user belongs to the "suscriber" group?
I suggest to protect the private page with password (this is common feature in Wordpress) and do not mess with the .htaccess file.
Anyhow, the is no way to tell the Apache (because the .htaccess is applied from it) that this or that user is registered or approved user. This can be done on different level - PHP and/or Wordpress logic.

Editing .htaccess without FTP access through Wordpress

I have no access to my FTP but I'm able to edit the web through Wordpress. Is there any way I could perhaps generate the .htaccess file through the admin framework? I know there might be a plugin to do that, but bear in mind I have no FTP access and the plugins require it to be installed.
I need the .htaccess file to redirect the user to another site.
I know this might strike you as weird and stupid, but this is due to the company's central decision to keep the site hosted by, I guess, a "friendly" hosting company. There's no way of recovering the login/password for FTP, so this might be the only solution.
Please, try posting constructive comments only, no "contact the hosting company". If I could, I would.
If your hosting company has set up wordpress correctly, then there is no way to do this, because unix permissions should make .htaccess read-only to the owner of the web server.
If the company has not done this, and if you have a way to change the templates, you might have success by creating a template that contains php code to open and write the .htaccess file.
Sample code to be put at the top of the header.php:
echo 'Current dir: ',getcwd(),"<br>\n";
if ($handle=opendir('.')) {
while (($file=readdir($handle))!==false) {
$ok=(is_writable($file) ? "ok" : "can't write");
echo "file '$file': $ok<br>\n";
}
closedir($handle);
}
This is to test you're in the root directory of your wordpress installation. It should give you the current directory, a list of all files in that directory (expect .htaccess, index.php, and various wp-* files), and their writability.
Once you've checked everything is correct, add
file_put_contents('.test', "RewriteEngine On\nRewriteRule ^(.*)$ site.com$1 [R=301,QSA,L]\n");
echo("<code><pre>-------- included file starts here\n");
include(".test");
echo("-------- included file ends here</pre></code>\n");
to the php code. This writes to a test file and includes it so you can check if everything is ok. When you've checked the file contents, replace .test with .htaccess.
WARNING: You should be VERY sure about the content of .htaccess. file_put_contents doesn't append the new string, it overwrites the whole file. Once you've written a bad .htaccess file, you might not be able to ever change it again, because the web server will redirect you to the new site instead of executing the script on the old site.
I am sorry for your situation. What is the hosting company (will keep this in mind if I ever use them). To try to help:
Do you have access to CPanel? Most hosting providers give it out of the box. Cpanel has a file manager.
Research Wordpress file managers (http://wordpress.org/plugins/wp-filemanager/)
How to edit wordpress .htaccess file from hosting Cpanel: If you are currently unable to login in your wordpress dashboard, or facing 500 internal server error. There is 90% possibility that you were editing your .htaccess file from your wordpress dashboard. In this situation you can only fix your wordpress .htaccess file by editing it from cpanel. Editing .htaccess file from wordpress dashboard is little risky with .htaccess editor plugins. If you will implement any wrong code then you might face 500 internal server error and your site might crush. So first you should take a backup of your existing .htaccess file before editing it. If you have a backup of your wordpress .htaccess file then you can upload it through your hosting cpanel also.
https://howtoways.com/how-to-edit-wordpress-htaccess-file-from-hosting-cpanel/

How to restrict access to web page by user

I want to prevent the access to the entire page, the page is on the cloud becuase it is on development, im working with SEO on the page and start appearing on google.
The page is not prepared to all people and i need to restrict the access by a simple user / pass floating form.
I see one example in the past but dont remember how exactly what i must do.
I remember that in htaccess i must write some line asking for the user / pass, and that lines link to a file on server that have the data. Can be something like that?
And can i do this on a Wordprees installation?
Thanks in advance.
Here is a link to use for .htaccess and .htpasswd files.
Generates the necessary files for you to place on your server
There is a FAQ there as well.
Create a Apache password file e.g. /path/to/passwords
Put this code in your .htaccess:
## password secure only sub.domain.com
SetEnvIfNoCase Host ^sub\.domain\.com$ SECURED
AuthType Basic
AuthName "My Protected Area"
AuthUserFile /path/to/passwords
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=SECURED
The easiest answer within a WordPress site would be:
1) Go to Settings/Privacy and set the site as Ask search engines not to index this site. This will (source: Codex: Privacy Settings explained:
Causes <meta name='robots' content='noindex,nofollow' /> to be
generated into the section (if wp_head is used) of your
site's source, causing search engine spiders to ignore your site.
Causes hits to robots.txt to send back: User-agent: * Disallow: /
Note: The above only works if WordPress is installed in the site root
and no robots.txt exists.
Stops pings to ping-o-matic and any other RPC ping services(...)
Hides the Update Services option entirely on the Administration > Settings > Writing Screen with the message "WordPress is not notifying any Update Services because of your blog's privacy settings."
You should test if this is working, using for example Google Webmaster Tools
2) Add one of those plugins: Private Only, Registered Only or similar. They will prompt the login form to any visitor trying to see the site.
Then, you are ready to work online without worrying about site visibility. Just remember to undo those changes, specially step 1. It could get you mad later if you forgot that. It will undermine all of your SEO efforts.
There are also some nice plugins to set a 'Coming Soon' page and still be able to work on the theme that shows the 'coming soon' only for user that are not logged in.
Best regards!

Wordpress: prevent navigating to files in content folder unless logged in

So I'm working with an installation, and have files in my wp-content/uploads folder. I want to prevent people from navigating to it directly, or accessing it at all (including videos called in a podcast), unless they are logged into the site.
It this a simple htaccess thing? I'm not even sure where to start.
Add
Options All -Indexes
to your .htaccess file after the # END WordPress line.
It will prevent people from browsing your folders and display a forbidden message if they try. See:
http://catrabbit.com.au/wp-content/uploads/2010/10/
I misinterpreted the question. Sorry.
To clarify:
This stops everyone (logged in or otherwise) from browsing your folders. I'm not sure why do want to allow logged in users to browse the uploads folder in the first place...
Found a plugin to handle this:
http://wordpress.org/extend/plugins/private-files/

Resources