El Dorado

almosteffortless wrote:

This plugin allows you to upload and download documents that are stored outside of your web document root for security purposes.

This is great for people using plugins like Registered Only, which you can read about here, that secure your Wordpress content (Posts, Pages, etc).

The problem with this is that your loose files aren’t protected - only the contents of your Wordpress database. So, any images or other documents you’ve uploaded are easily accessible to those who aren’t authenticated via a plugin like Registered Only. This plugin aims to solve this problem.

http://www.almosteffortless.com/wordpress/secur...

[edit]Post removed by admin while a fix is put in place for an exploit discovered by fullo...[/edit]

I've made a small change in the code which fixes the potential exploit pointed out by fullo.

All users of the Secure Files plugin should update to the newest version:

http://www.almosteffortless.com/wordpress/secur...

Thanks for the help, fullo, and I'm sorry for the inconvenience.

Trevor,

I'm delighted to have found this plugin, but I can't seem to get it to work. I've installed the Secure Files plugin and everything appears to be okay. On the Manage-->Secure Files page, the plug acknowledges the Secure Files Directory that I specified, and lists the two files I put in that directory via FTP. Looks good so far.

However, when I try a download link, I get the File Not Found error.

Also, when I attempt to upload a file via the Secure Files page, I get the error telling me to check my Options. I think this must be a related issue, but my Secure Files Directory setting seems to be good...not sure what else I could try here.

I'm using WordPress version 2.0.4 ...is it possible there is a compatibility issue somewhere?

Hope you can help! Thanks.

First, a file won't work if it has an "&" in the title. That's a problem I can't figure out how to get around. I'm sure there's a way, but that's a known problem.

Otherwise, if you're seeing errors with the plugin, you should double-check that the folder you are making to store the files is (a) above your world-accessible root directory. So, if all of your files are in the /home/blinkman/www/ directory, then you need to put them at least above the /www/ part. Something like /home/blinkman/secure_files/ would be fine.

That directory must be set correctly in the Options page. Read the directions there closely, because they have some details that might be of help to you.

The last thing is that the directory must be writable. If you need more help with that, check out the Wordpress Codex.

Let me know if this helps.

I have done all these things, and triple-checked them. My directory is a level above the root, and it is writable. There are no "&" characters in my filenames.

Very odd. I'm stumped. Anything else you can suggest? I'd LOVE to get this working.

Thanks Trevor.

Trevor,
Great plug-in...just what I've been looking for to help keep uploads/downloads from easy access.

Question: is there any way to enable incorporation of the Apache htaccess password URL? I had been trying to use javascript to hide rightclick and status window URL on protected file locations in combination with that means of "autologin" to protected directories. But that is readily defeated by either using Firefox or turning off javascript.

The form would be: http://username:password@www.normalURL.com/protected_directory.

Since you specify root directories I haven't tried to jerry-rig the code to accept the URL (not like I expect I really could successfully anyhow). My thought is that would create yet another barrier to protect files.

My application is a for a local association that wants the majority of the site wide open with unrestricted access, but association budgets and Board minutes are only to be accessible to their 3000 members. So two wordpress installations provide the different access levels to the site, one without any registration and one registered-only. Because the site will ultimately be maintained by novices, I need to keep the upload and linking process incredibly simple, and can't expect them to handle much more than cut and paste of code. Your plug-in work very nicely for that purpose, I would just feel more comfortable if I could incorporate the htaccess URL and make the directory password protected.

Thanks in advance for a great plug-in and even considering this option.
Cheers

I don't know of any way to do this, sorry. I looked around for something like that, and I never came across it. I did find some nice GUIs for making .htaccess username/password combos, but that was about it.

I would think they should be able to deal with uploading via the secure files plugin, though. Unless I missing something, the Secure Files plugin should be enough to solve your problem. The whole point is to upload the files into a directory ABOVE your root (web-accessible) directory. So, that way, the files are protected from people not logged into Wordpress. The plugin even gives them the link to cut and paste...

I was afraid I would see the response you posted.

I agree with you that your plug-in should provide sufficient security, and the cut and paste feature makes it very straightforward for them to use.

I hope I didn't mis-state my thorough appreciation for the adequacy of your plug-in. I was looking for an enhancement, not a fix.

From working within these kinds of organizations you see how sloppy it can be in terms of security -- my 'protection' scenario would require someone learning the directory structure of the site. Your plug-in would stop them from sending someone the link to 'private' files via anything they could see in the WP pages, secure FTP stops direct probing, but, in theory, if they guessed the directory structure (or were told it by one of the organization's admin folks) they could, in theory, tap the file through the URL (which the password .htaccess would stop).

These are not high value hack targets by any stretch. So I'm probably way over worrying all this.

Once again, thanks for a great plug-in and even considering my concerns.

With great respect

Maybe I'm still confused here:

in theory, if they guessed the directory structure (or were told it by one of the organization's admin folks) they could, in theory, tap the file through the URL (which the password .htaccess would stop).

I might be misreading this, but if you put your Secure Files directory "above the web root" then it would not be accessible via anything other than FTE (or the plugin). The whole reason I made this plugin was to have a "single login" instead of using .htaccess - which I was using before.

Can you try to clarify what you're looking for? I think I'm just missing it.

I'm not giving up on this. One more plea for help:

Again, the plugin acknowledges my Secure Files directory, and lists the files in it. Therefore the directory location and permissions are correct...I think...

But attempting to download gives up the "File not found" error--this generated by the plugin code, not the server.

What does it all mean?

Thanks again, sorry to keep bothering you with my trouble!

Trevor wrote:

Maybe I'm still confused here:

Can you try to clarify what you're looking for? I think I'm just missing it.

I don't think you are missing it; I think I'm working with a non-typical shared server service. As best I can tell, all the paths that I have access to as administrator on my hosting account are also web accessible. I may be missing it, but as best I can tell my hosting service (or the organization's hosting service) has configured all directories as within a webroot...I can't get up any higher in the path.

In light of this it appears the best I can do is hide the structure and take advantage of the plugin not disclosing the file path.

Sorry to be confusing, and again, thanks for your responses and consideration.

blinkman wrote:

But attempting to download gives up the "File not found" error--this generated by the plugin code, not the server.

What does it all mean?

Trevor is the expert obviously, but I would look in two areas as a start. The error is so broad that the potential problems are vast but I would start by checking to see that the "file-id?" portion of url is correct and that the download coding is copied and pasted directly from the plugin, not from the Write-Post page.

Next I would check the file directory itself for any CHMOD status and any .htaccess restrictions... if you created a series of subdirectories to get to the file respository you may need to check each one.

If the link code is correct then something about the server configuration is kicking back a 404 code due to 1) access not allowed, 2)the type of access you want is not allowed or 3) no such file exists where requested. If you've ruled out 3) then, as Sherlock Holmes says, however improbable, one of the other two must be the cause.

Hope this helps.

Also, there is a known problem if the file name has "&" in it. Try making a simple image called "test.jpg" or something very short like that, and see if you're still having problems. Double-check that you're using the right URL, too.

SteveM, if you can't get any higher than your web root, then I think .htaccess might be your only option, actually. In that case, I'd look around for something that gives you a GUI for managing user/pass combos.

That could make a pretty interesting plugin, actually. I don't think it would be too terribly hard to link the WP user system to your .htaccess file - I think WP lets you write to the .htaccess, too...

I have one major problem - if someone checks the history in a browser they can access the file without any need to authenticate. Iam using a plugin to secure a category which works well.
I realise that placing above the www root gives it added protection but access by the history means I cannt use it. - is there any way to prevent this!
Does this mean I have to use .htaccess.

I'm not sure how to lock things down in that way, alex. Sorry! I'd try .htaccess and see if it works better.

Does this plugin work in Internet Explorer 7?

thanks,

oh, answered it myself

thanks,

great plugin solving problems!!!

question:
how can I display the secure file list in a page (links)?

Well, I don't know of an automated way to do it, but you could try 2 things:

1. Do a "view source" on the secure files page in your wp-admin folder. Use the code there that displays the files in your page.

OR

2. Take the portion of the code in the secure files plugin that retrieves the file listing and creates the links, and use that in a custom theme file. If you don't know anything about custom themes, check out the wordpress codex.

Hi,

Thanks for this nice plugin.
I have it working nicely but seems it only works for files that are in the secure file directory, doesn't seem to work if I put several folders with images inside the secure files directory.

The problem is I am using this to protect many photo albuns and each album needs a folder with several files in it (thumbs and images with the same name) so, how can I make it work like this?

/secure-file-directory/folder1/file1.jpg, file2.jpg, file3.jpg.etc
/secure-file-directory/folder2/file1.jpg, file2.jpg, file3.jpg.etc
/secure-file-directory/folder3/file1.jpg, file2.jpg, file3.jpg.etc
/secure-file-directory/folder4/file1.jpg, file2.jpg, file3.jpg.etc

carloschegado, unfortunately, that's a bit out of scope for me. It's possible (you'd have to add something to the file retrial code to search multiple directories for files) but I don't plan on adding such a feature. If anybody else would like to take it on, though, that would be great!

I've been using this plugin with great success lately. Combined with the Registered Users plugin and HTTPS-only access, I'm reasonably confident that this site will withstand mild hacking attempts.

I was having a problem getting IE to download anything controlled by this plugin, however. IE reports that it couldn't find the site.

It turns out that IE always respects the HTTPS header flag "no-cache" when connected over SSL. If this is flag present in the headers, IE refuses to download files.

WP seems to use this flag for all headers. When I turned this off in functions.php, IE started working.

I suppose it's not a good idea to turn this off for everything that WP serves up. Is there any way to get this plugin to supress these flags whenever it delivers a file for downloading?

Hmm...

I thought I was setting all the headers, but maybe not. Can you have a look at the plugin code (http://dev.wp-plugins.org/browser/secure-files/... and let me know what I might change to fix this?

Knowing what you changed in functions.php would be helpful in any case.

Thanks for the heads-up!

Trevor -

I just commented these two lines out in functions.php:

@ header('Cache-Control: no-cache, must-revalidate, max-age=0');
@ header('Pragma: no-cache');

I'd have to guess that your header flags are getting appended to the default header flags in function.php, rather than replacing them.

But I don't have much experience with Wordpress internals.

OK. Thanks for the tip. I'll look into it when the problem pops up on sites I'm hosting. Just out of curiosity, are you running 2.1? I'm sticking with 2.0.x for now. Maybe they changed something in 2.1 that's causing this to be a problem.

We're using 2.2.1

If no-cachine on all pages turns into problem, I'll look into the problem deeper on our end.

Thanks for the great plugin,
Willis Morse