[wp-edu] protecting uploaded files from direct download (multisite)

Joseph Ugoretz joseph.ugoretz at mhc.cuny.edu
Mon Aug 12 14:21:28 UTC 2013


Thanks to all!  Daniel's solution (wp-document-revisions) looks perfect for all needs.  If others are exploring the other options, here's some of what I've determined in my testing of the other plugins and suggestions.

WordPress Download Manager--two major drawbacks.  First, it exposes ALL files on the entire server to every user.  I was able to edit that feature out of the admin panel, but would have to do so again on every update.  Second (and worse from my perspective), it really does not protect the uploaded files.  It hashes the filename for the download link, but anyone who has that direct link can still download without knowing the password.

Download Monitor--Limits downloads to logged in members (of specific user groups if wanted).  But has no provision for allowing non-logged in users with a password to download the files.  We sometimes want to give people access to downloading the files, but don't want to create accounts for them on our system.

User Access Manager--works by rewriting the htaccess file on the uploads directory.  In my earlier testing, this method did not work at all for multisite installs.  Might be that the plugin does it better, but using it post facto (as we would have to) would eliminate all usable links from previously available downloads.  That warning, and the fact that it asks to rewrite databases upon install, made me nervous.

WP-Document-Revisions looks like the best bet, for us.  The combination of a large (3000+ sites/users) multisite install and the need for real secure protection, not just obscurity, seems to be best filled by this plugin.  It also does much more, and the name "Document Revisions" doesn't include the main feature we're using it for, but that's something we can explain to users.

It's interesting that this isn't something included in WordPress at this point.  And it's also interesting that so many of the proposed solutions don't work at all in multisite.  I think most people assume that a link on a password-protected page is also protected, or at least not indexed by google. Especially if they're using a plugin which is supposed to manage downloads. Testing with a direct link in a separate (not-logged-in, no password entered, no cache existing) browser will almost always allow direct download of those "protected" files.

Somewhat troubling!


-- 
Joseph Ugoretz, PhD
Associate Dean
Teaching, Learning and Technology

Macaulay Honors College
The City University of New York
35 West 67th St.
New York, New York 10023
TEL 212-729-2920
FAX 212-580-8130
joseph.ugoretz at mhc.cuny.edu
macaulay.cuny.edu









On Aug 12, 2013, at 9:44 AM, Anna Mulé <anna.mule at wagner.edu>
 wrote:

> We are using the "User Access Manager" plugin to limit access to pages, posts, and files to specific user groups.
> 
> Anna Mulé | Director of Digital & Social Media
> Office of Communications & Marketing
> wagner.edu | 718.420.4468 | @wagnercollege
> 
> Connect with Wagner College!
> 
> 
> 
> On Mon, Aug 12, 2013 at 8:59 AM, Matthew Patulski <matthew at patulski.is> wrote:
> +1 to download monitor. 
> 
> Matthew Patulski
> PTA volunteer
> www.northparkschools.org
> 
> _______________________________________________
> wp-edu mailing list
> wp-edu at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-edu
> 
> 
> _______________________________________________
> wp-edu mailing list
> wp-edu at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-edu



More information about the wp-edu mailing list