[wp-hackers] securing /wp-content/uploads

Konrad Karpieszuk kkarpieszuk at gmail.com
Thu Apr 5 16:19:11 UTC 2012

hi there :)

My client needs to make something like private forum based on
wordpress. We will create custom post type called 'forum posts' which
will be the same as regular wordpress posts. with one exception: forum
posts will visible only for logged wordpress users

The problem is with attachments. If somebody is familiar with
wordpress he can guess that every attachments are located in
/wp-content/uploads and can guess easy names of files (this will be
job forum so somebody could  try to type /wp-content/uplads/{some date
structures}/cv.doc and it is very possible that this person will get
this file)

How to prevent this? Maybe some .htaccess file which will check if
somebody who try download file is logged wp user with certain role?
but how? or maybe other way?

(en) regards / (pl) pozdrawiam
Konrad Karpieszuk
http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
klientów z Polski

More information about the wp-hackers mailing list