December 8, 2009 at 12:34 am #533amin007Participant
I get a few questions around protecting the downloads directory so just wanted to clarify one point… the “downloads” directory inside the plugin folder exists as a placeholder for your downloadable files but it doesn’t mean that you have to put your downloadable files inside that directory. In most situation the downloadable files for your digital product will be in a different location.
There are few levels of additional measures that you can take based on how much security you want for your downloadable files.
When eStore lets your customer download a file via the encrypted download link, no one but the plugin itself knows where the file is truely located. Your customer won’t have any clue as to where it is coming from. Given that fact, most users are happy to upload their downloadable file(s) somewhere in their site and use it. Your customer would have to be really good at guessing the location to uncover the file location (highly unlikely).
With that said, you can use one of the following measures to add extra security to your downloadable files (kind of like adding some extra sauce
1. Adding Extra Security Option 1
Make the folder names of your download directory hard to guess. For example, if you stored your downloadable files in the following location of your server then your customer’s chance of guessing the location would be really really slim:
2. Adding Extra Security Option 2
You could even store the downloadable files on another of your servers (if you had one). For example, the downloads for my premium plugins come from a URL like the following:
I bet you didn’t have any clue about this when you downloaded the plugin after purchase, did you?
All you saw is a link similar to the following:
When you clicked on it, you got the download. So, you can see that my downloads are well protected.
3. Adding Extra Security Option 3 (Storing Files Outside the Web Accessible Directory)
You can also store the digital goods in a non web accessible directory of your server (outside the “public_html” directory) and use eStore to serve the files. This way no one can even try to fish for it since its not in a web accessible directory.
This post explains more on this technique:
4. Adding Extra Security Option 4
The “downloads” directory inside eStore comes with a .htaccess, .htpasswd and an empty “index.php” file by default so someone just won’t be able to browse the “downloads” directory.
You can put this same .htaccess file on any folder where you are keeping your downloadable item. If you create sub-directories inside the download directory for your different products then you should copy the .htaccess file and put it inside every sub-directory so these sub-directories are not browsable either.
5. Adding Extra Security Option 5 (Using Amazon S3)
Another option is to use the amazon S3 integration which can also ensure additional security of your digital asset:May 31, 2010 at 11:15 pm #16543okgoodMember
If I have the .htaccess and .htpasswd files in the same folder with my digital product, then I get a message that says “file not found” when I click on the purchased product download link in my email or on my thank you page.
How do I ensure the product is protected while still allowing it to be downloaded for purchase?June 1, 2010 at 12:12 am #16544IvyMember
Hi, Some servers have issues with the “.htaccess and .htpasswd files”. In this case you will need to fix your server config. It is not that big of a deal to not have this access control files in the downloads directory because You can put your downloadable files anywhere you want as long as the plugin can access them. As explained above no one but the plugin itself knows where the file is truely located. When the link is sent out it will be encrypted and will not reveal the true location so the security is not compromised. If you have the empty “index.html” file in this directory even if someone was to find the location and browse the folder they will get a blank page.
Without knowing the path or folders on your server it is impossible to find a file…. specially, if your URL looks something like the following:
IvyJune 1, 2010 at 10:40 am #16545okgoodMember
OK thanks … I’ll do it this way, to put the file in some random sub-directory with a blank index page in the main downloads directory.October 13, 2010 at 1:53 am #16546amin007Participant
This is another good related post for this topic:November 10, 2011 at 12:00 am #16547adminKeymaster
Another good tip here (suggested by one of our users):
I am testing… and here is what seems to work for me: folder/directory permission set to 700, file permission set to 400.
Only the plugin can access it.
BUT, please try it in different browsers and see if it works 100% ok.
Of course, adding the .htaccess is good too.
- The topic ‘Download Directory Protection’ is closed to new replies.