[wp-hackers] securing /wp-content/uploads

Eric Mann eric at eam.me
Thu Apr 5 16:49:22 UTC 2012

My recommendation would be to use .htaccess to require authentication for
that directory.

On Thu, Apr 5, 2012 at 9:19 AM, Konrad Karpieszuk <kkarpieszuk at gmail.com>wrote:

> hi there :)
> My client needs to make something like private forum based on
> wordpress. We will create custom post type called 'forum posts' which
> will be the same as regular wordpress posts. with one exception: forum
> posts will visible only for logged wordpress users
> The problem is with attachments. If somebody is familiar with
> wordpress he can guess that every attachments are located in
> /wp-content/uploads and can guess easy names of files (this will be
> job forum so somebody could  try to type /wp-content/uplads/{some date
> structures}/cv.doc and it is very possible that this person will get
> this file)
> How to prevent this? Maybe some .htaccess file which will check if
> somebody who try download file is logged wp user with certain role?
> but how? or maybe other way?
> --
> (en) regards / (pl) pozdrawiam
> Konrad Karpieszuk
> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
> klientów z Polski
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list