[wp-edu] protecting uploaded files from direct download (multisite)

Mon Aug 12 16:23:36 UTC 2013

Hi Joseph,

Have you considered using the http-authentication plugin at:
http://wordpress.org/plugins/http-authentication/ ?

Best-
Alba

On Mon, Aug 12, 2013 at 7:21 AM, Joseph Ugoretz <joseph.ugoretz at mhc.cuny.edu
> wrote:

> Thanks to all!  Daniel's solution (wp-document-revisions) looks perfect
> for all needs.  If others are exploring the other options, here's some of
> what I've determined in my testing of the other plugins and suggestions.
>
> WordPress Download Manager--two major drawbacks.  First, it exposes ALL
> files on the entire server to every user.  I was able to edit that feature
> out of the admin panel, but would have to do so again on every update.
>  Second (and worse from my perspective), it really does not protect the
> uploaded files.  It hashes the filename for the download link, but anyone
> who has that direct link can still download without knowing the password.
>
> Download Monitor--Limits downloads to logged in members (of specific user
> groups if wanted).  But has no provision for allowing non-logged in users
> with a password to download the files.  We sometimes want to give people
> access to downloading the files, but don't want to create accounts for them
> on our system.
>
> User Access Manager--works by rewriting the htaccess file on the uploads
> directory.  In my earlier testing, this method did not work at all for
> multisite installs.  Might be that the plugin does it better, but using it
> post facto (as we would have to) would eliminate all usable links from
> previously available downloads.  That warning, and the fact that it asks to
> rewrite databases upon install, made me nervous.
>
> WP-Document-Revisions looks like the best bet, for us.  The combination of
> a large (3000+ sites/users) multisite install and the need for real secure
> protection, not just obscurity, seems to be best filled by this plugin.  It
> also does much more, and the name "Document Revisions" doesn't include the
> main feature we're using it for, but that's something we can explain to
> users.
>
> It's interesting that this isn't something included in WordPress at this
> point.  And it's also interesting that so many of the proposed solutions
> don't work at all in multisite.  I think most people assume that a link on
> a password-protected page is also protected, or at least not indexed by
> google. Especially if they're using a plugin which is supposed to manage
> downloads. Testing with a direct link in a separate (not-logged-in, no
> password entered, no cache existing) browser will almost always allow
> direct download of those "protected" files.
>
> Somewhat troubling!
>
>
> --
> Joseph Ugoretz, PhD
> Associate Dean
> Teaching, Learning and Technology
>
> Macaulay Honors College
> The City University of New York
> 35 West 67th St.
> New York, New York 10023
> TEL 212-729-2920
> FAX 212-580-8130
> joseph.ugoretz at mhc.cuny.edu
> macaulay.cuny.edu
>
>
>
>
>
>
>
>
>
> On Aug 12, 2013, at 9:44 AM, Anna Mulé <anna.mule at wagner.edu>
>  wrote:
>
> > We are using the "User Access Manager" plugin to limit access to pages,
> posts, and files to specific user groups.
> >
> > Anna Mulé | Director of Digital & Social Media
> > Office of Communications & Marketing
> > wagner.edu | 718.420.4468 | @wagnercollege
> >
> > Connect with Wagner College!
> >
> >
> >
> > On Mon, Aug 12, 2013 at 8:59 AM, Matthew Patulski <matthew at patulski.is>
> wrote:
> > +1 to download monitor.
> >
> > Matthew Patulski
> > PTA volunteer
> > www.northparkschools.org
> >
> > _______________________________________________
> > wp-edu mailing list
> > wp-edu at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-edu
> >
> >
> > _______________________________________________
> > wp-edu mailing list
> > wp-edu at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-edu
>
> _______________________________________________
> wp-edu mailing list
> wp-edu at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-edu
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.automattic.com/pipermail/wp-edu/attachments/20130812/897b9152/attachment.html>