Protection Digital products

I discovered that all my digitals products (PDF files) were indexed by Google. So, I could find my “hard work” for free on Google. You could also see the address of the files.

The files were stored in the folder /wp-content/uploads/year/month. This is the default setting for the media library and the default location for the uploaded digital products.

These are default settings and I did not change anything.
I knew that when you know the exact file address of a digital product that you were able to access it.

My solution:
- I copied all my digital products to a new directory and deleted the old files from /wp-content/uploads/year/month.
- In robots.txt I made the rule: “Disallow: /wp-content/new directory name/” to prevent search engines to crawl this directory.
- In my new directory I put a htaccess file with:
order deny,allow
deny from all
allow from none
- I changed in all products the download location
- Gave myself a coupon code of 100% discount and tested or I was able to download the digital products.

My Questions:
- Is this normal or is this something what has to do with server settings and file permissions?
- Is it possible to store the files of digital products on a different location then the standard location using the possibility “ Product upload/ upload file” in the product description?

My results:
The old indexed files by search engines are not accessible anymore.
The files are also not accessible anymore when you know the exact file address
All my digital downloads are now on one location and not spread in the wp-content/year/month structure.

Please some feedback

Ella

  • Vaughan
    • Support/SLS MockingJay

    hi @Ella

    thanks for posting on the forum & bringing up this query.

    The way you have done this is the right way of doing it at moment.

    although the file path is obfuscated in the email to the user, it isn't an extremely secure solution.

    But nonetheless, the way you have setup with robots.txt & htaccess is the best method for the moment.

    The best method I can think of which would require lots of custom work on the plugin, is to be able to store the files outside of the Document Root.

    ie.

    your/server/path

    your/server/path/public_html (document Root)
    your/server/path/mp_uploads (not accessible to browsers as outside the doc root)

    of course not all server configs will allow you to write to folders outside the doc root (though In my opinion they ALL should allow it)

    the upside to this method, is that no matter whether they know the file path or not, it would be impossible for anyone to access it from a browser using a URL, because the URL can't go above public_html (document Root).

    But this would require a change in the script for downloading the content.

    We would have to create a downloader script. so instead of fetching the download via URL, the downloader would fetch the file by using it's absolute file path, and send the download to the browser using something like

    header("Content-Disposition: attachment; filename=".$file);

    this could also store the filename obfuscated on the server & then change to the filename when it is served to the browser.

    I will make that suggestion to @Aaron when he returns from his vacation.

    hope this helps.

    thanks

  • Elliott Bristow
    • The Bug Hunter

    Hi Ella,

    By default, Google will index and file it can find that is linked to via your site. If you have a link to the file on your site that the public can access then Google will index it.

    If you add the file while adding the product in MarketPress there would be no direct links to the file and Google should not be able to see it.

    I've flagged the developer to take a look just in case there is a potential bug here, but MarketPress shouldn't expose any links to the file for Google to be able to crawl.

  • Ella
    • The Incredible Code Injector

    Hi @Vaughan and @Elliott,

    Thank you very much for your extensive feedback, For this moment I am a little bit more relaxed.:slight_smile:

    My hosting provider allow me to write to folders outside of the root, I tried that but exactly what your said, it is not possible to download the file for a customer.

    I think (with my woman logic) that the place where are all pictures are stored not really is the place where you want to store the digital products. Because you want that Google is indexing your pictures but not your products.

    Is there a possibility that I can change in the code the upload location?

    Thanks again,

    Ella

  • Elliott Bristow
    • The Bug Hunter

    Hey @Ella,

    In the WordPress settings you can set the default upload location of your media files.

    The following advice is shamelessly copied and pasted from http://wordpress.stackexchange.com/questions/29936/can-i-upload-media-to-a-specific-folder

    - Go to Dashboard -> Settings -> Media
    - Enter the desired location in Store uploads in this folder
    - Uncheck Organize my uploads into month- and year-based folders

    This will specify the global upload location. To specify a per-file upload location, you'll need to use a Plugin, such as WP Easy Uploader

  • Ella
    • The Incredible Code Injector

    Hi @Elliot,

    Thanks for your reply. I think I was not clear enough.
    I am not a fan to put additional plugins to solve problems.(conflicts, out of date etc.)

    What I want, is that I can separate the location for Images and digital product files.

    1. upload location for the media library is ok for me.
    2. When I upload the digital product file, using the "upload file button" in product description of Marketpress, then mp will put it in the media library.

    That is exactly what I don't want. I want when I am using this "upload file button" that mp put the file in my new "secure" directory. At this moment I first upload the file using FTP to my new directory and then put the file name path in the product properties.

    So maybe there is someone who can explain me how I can change that in the code from MP

    Ella

  • Elliott Bristow
    • The Bug Hunter

    Hi Ella,

    Sorry for the delay in answering this for you. I'm reluctant to advise on editing the code for this plugin without first consulting with the developer. I wouldn't want to break his hard work! :slight_smile:

    Unfortunately the developer is currently away so I've not been able to discuss this with him. When he returns I will see what we can come up with. He has already been flagged to take a look at this thread so he is already aware that we are looking for some input.

    In honesty I don't expect a code based fix to be straight forward. Currently the plugin uses WordPress' built in Media Uploader. To force the plugin to upload to a different location would require either recoding the uploader or adding a new uploader system to the MarketPress interface, both of which are not a 'one line fix'.

    As I say, we'll see what we can come up with and let you know.

  • RavanH
    • The Crimson Coder

    My thoughts on this issue here https://premium.wpmudev.org/forums/topic/protect-digital-products-from-unverified-download?replies=5#post-585534

    We won't be building in custom upload locations though.

    Which is too bad as it makes MarketPress an unlikely candidate for our purposes. We are not about to hand out FTP acounts to all site owners in the network. Nor do we want to force them to use external services like S3 (only as an option) or complications by other plugins.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.