[wp-hackers] securing /wp-content/uploads
Simon Prosser
pross at pross.org.uk
Thu Apr 5 16:50:43 UTC 2012
or deny by referer
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(doc)$ - [F]
On 5 April 2012 17:49, Eric Mann <eric at eam.me> wrote:
> My recommendation would be to use .htaccess to require authentication for
> that directory.
>
> On Thu, Apr 5, 2012 at 9:19 AM, Konrad Karpieszuk <kkarpieszuk at gmail.com>wrote:
>
>> hi there :)
>>
>> My client needs to make something like private forum based on
>> wordpress. We will create custom post type called 'forum posts' which
>> will be the same as regular wordpress posts. with one exception: forum
>> posts will visible only for logged wordpress users
>>
>> The problem is with attachments. If somebody is familiar with
>> wordpress he can guess that every attachments are located in
>> /wp-content/uploads and can guess easy names of files (this will be
>> job forum so somebody could try to type /wp-content/uplads/{some date
>> structures}/cv.doc and it is very possible that this person will get
>> this file)
>>
>> How to prevent this? Maybe some .htaccess file which will check if
>> somebody who try download file is logged wp user with certain role?
>> but how? or maybe other way?
>>
>> --
>> (en) regards / (pl) pozdrawiam
>> Konrad Karpieszuk
>> http://tradematik.pl wtyczka do WordPressa do tworzenia sklepów dla
>> klientów z Polski
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
--
My Blog: http://pross.org.uk/
Plugins : http://pross.org.uk/plugins/
Themes: http://wordpress.org/extend/themes/profile/pross
More information about the wp-hackers
mailing list