Digital products - are downloadable items secure?

Hi all!

I'm just starting to explore Marketpress and have a question about downloadable products. As far as I can see, by using the "File Upload" button in the "Product Download" section of any product page, the file location doesn't seem to be protected in any way. It looks like the sample below:

http://example.com/teststore1/files/2012/01/product.pdf

Therefore, anyone who knows the url can download by copying it to their browser's address bar and bypass the payment step. I've tried it and was able to access the downloadable file with no problem.

I may be missing something obvious here but, is there a way to secure the file location?

Any help is appreciated.

  • aecnu
    • WP Unicorn

    Greetings pcwriter :slight_smile:

    first of all sir the URL given to the buyer is cloaked/encrypted.

    You are right that at this moment there is other protection that I am aware of.

    If the person does not know the EXACT url they cannot get the product and on our system they will get a 404 error - BEWARE on some hosts it will show the entire download directory.

    One way to insure security would be to password protect the entire uploads directory with htaccess which is certainly easy enough.

    Then change the download URL to include the user name and password :slight_smile:

    i.e. http://username:password@downloadpath.com/morepath/file.zip

    Joe :slight_smile:

  • Patrick
    • Support Monkey

    Hi aecnu,

    Thanks for your response! I looked into creating .htpasswd and .htaccess files for specific directories but didn't want to use that option as it would require creating them for each user store on my multisite install. Yikes!

    I did, however, check that the download url's are encrypted by creating a 100% discount coupon which allowed me to "purchase" the product for $0.00 and bypass the PayPal checkout. Lo and behold, you're right, the url in the email I received looks like this:

    http://example.com/teststore1/store/products/product.pdf/?orderid=c21f74598165

    ...while the actual url where the product is located on my server is like this:

    http://example.com/teststore1/files/2012/01/product.pdf

    So, hopefully, unscrupulous WP-experienced users won't be able to pirate digital downloads unless they can actually guess the correct folder they're in. :wink:

    Thanks again.

  • Timothy Bowers
    • Chief Pigeon

    :slight_smile:

    If you could change how it is handled, how would you envisage it working?

    Personally if it were me then I would like to see it also do something with the file name, like:

    UID-Productname-EXT

    So if my user ID was 4530 and the download was a zip for a product called MarketPress

    4530-marketpress-zip

    That in my mind would be cool... :slight_smile:

  • Patrick
    • Support Monkey

    Hi again Timothy!

    In my mind, the problem is not with the way the url is encrypted. We can encrypt to our heart's content, even going so far as making it completely unrecognizable, like this:
    xD_12t5df488d_0(gf)/55iu

    That wouldn't solve the problem as I see it. The problem is that the folder where downloadable items are stored on the server is not protected in any way. Anyone who knows the location of that folder could pirate its entire contents.

    In the past, I've used another membership plugin (not to be confused with WPMUdev's Membership or Marketplace) that creates its own protected folder for downloadable products and encrypts the url's to files in that folder. But I don't want to use it for one of my current multisite projects 'cuz it doesn't have all the very cool global-network features that Marketpress does.

    If the devs could include a way for Marketpress to work in a similar fashion, creating a specially-protected folder for each site where that site's downloadable items are stored, that would be ideal I think.

    Your thoughts?

  • Timothy Bowers
    • Chief Pigeon

    Ah yeah I see what you mean now. I thought you meant seeing the file name, knowing it was a WP site and sticking the url in.

    I know in the last project I worked with (not WP related) they use to put their equivalent of the wp-config.php file outside of the root folder thus making it inaccessible over http: through a direct query. I've never tried but perhaps something similar could be done so it could never be loaded through http...... Not sure how well that would work if you wanted to then download that file.

    Take care,
    Tim.

  • Aaron
    • CTO

    It's beyond the scope of the plugin to protect a folder, as that is server dependant. The url is hidden, so they would need to know the original url to download. Of course you could upload to any folder, and put any url in that field. You could then protect the dir with an htaccess or similar.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.