[wp-hackers] securing /wp-content/uploads
Eric Mann
eric at eam.me
Thu Apr 5 16:49:22 UTC 2012
My recommendation would be to use .htaccess to require authentication for
that directory.
On Thu, Apr 5, 2012 at 9:19 AM, Konrad Karpieszuk <kkarpieszuk at gmail.com>wrote:
> hi there :)
>
> My client needs to make something like private forum based on
> wordpress. We will create custom post type called 'forum posts' which
> will be the same as regular wordpress posts. with one exception: forum
> posts will visible only for logged wordpress users
>
> The problem is with attachments. If somebody is familiar with
> wordpress he can guess that every attachments are located in
> /wp-content/uploads and can guess easy names of files (this will be
> job forum so somebody could try to type /wp-content/uplads/{some date
> structures}/cv.doc and it is very possible that this person will get
> this file)
>
> How to prevent this? Maybe some .htaccess file which will check if
> somebody who try download file is logged wp user with certain role?
> but how? or maybe other way?
>
> --
> (en) regards / (pl) pozdrawiam
> Konrad Karpieszuk
> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
> klientów z Polski
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list