No announcement yet.

Securing downloadable products

  • Filter
  • Time
  • Show
Clear All
new posts

  • Securing downloadable products

    What are the tightest permissions that can be used for the folder: wp-content/plugins/wp-easycart-data/products/downloads/ without interfering with the function of the cart itself?

    When it's set to 755, the entire planet can go to the download folder in their address bar, save every single downloadable product at an effective price of $0, and bypass the cart entirely. The entire product line is simply listed there with links to the whole directory for anyone who chooses to do so. For physical products it would be no problem. For downloadable ones, it's terrible.

    Are permissions the best way to combat this issue, or should this be approached a different way? If so, what should that way be?

  • #2
    By default we try and set that folder to 0751 so that a user cannot browse the folder, but direct file access is possible. Sometimes the server does not allow us to set the permissions to this on the folder and you should update to 0751 to fix this issue.

    Permissions are a good way to do this. We never give out the file's actual name or location to the customer on the download (processed through a php script) so unless the user knows the exact location of the downloadable file they should never be able to access it once the permissions are update.


    • #3
      Thanks. I didn't realize you had replied until now. Yes, I figured out the 751 myself, and it is working - with those limitations you pointed out on the file name. So tell me, could we append the usual gibberish to the file name itself (and add that into the path for the download, of course) or would it mess things up? As it is, I have to ftp the downloadable product to the correct folder, since the admin panel wants to stick it into the regular media folder.

      In some future release or update, are you going to be fixing this problem? We need the appended gibberish to be automatically generated, as well as the correction on the path, so we don't have to ftp the files to the server each time. It would make things a lot easier for those of us who sell digital products to be able to do that from the admin panel. Thanks.


      • #4
        Yes, you can rename the files whatever you want... if you like them obfuscated with the long hash in them, then you can add that to them. In the future upgrades, if you upload a file, they should be placed into the wp-easycart-data folder and not into the media library as we have decided to put them into our download folder, this way you can setup permissions seperate from the media area.