#37206 Direct Acces Wordpress

Posted in ‘Pre-sales and Account Questions’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.




I'm planning to buy admin tools for wordpress.....but I have a question......


Is posible to avoid direct acces to files in uploads??.....




When I try to update Akeeba backup or admin tools it requiere me to download the new file and install it.

I wanto to update them directly from joomla.

How to fix this??






Akeeba Staff

No, it's not and it does not make a lot of sense.

This is usually called "hotlink protection" and the way people implement it is by adding a bit of .htaccess code which checks that the HTTP Referer header's content matches the URL to your site. This is a very weak protection; someone can of course download the file by spoofing the HTTP header. It also causes problems. You cannot access these files if your site can be accessed from multiple subdomains or domains e.g. www and non-www version of your domain, HTTP and HTTPS, or different subdomains and domains such as in the case of WordPress multisite installations. You cannot access these files if the browser does not send an HTTP Referer header as is the case with rel=noreferer links or browsers with a high degree of privacy enabled. You cannot share these files on social media; they need to download the files to generate previews. Search engines cannot index the files either. In many cases you cannot access the files using JavaScript (XMLHttpRequest or Fetch) which can make third party plugins relying on such JavaScript fail.

In the end of the day, this was a reasonable thing to do 20 years ago when servers had a ridiculously low bandwidth limit measured in the few tens of Megabytes per month and the entire web was very much static content. It no longer makes any sense at best, typically it's actively harmful to your site.

If you are truly worried about file access you should use a download manager with an off-site folder holding the uploads. Instead of accessing the files directly, your users will have to log in to get access to a download link. That's, for example, what we do for our Professional editions' downloads (albeit in Joomla, so our solution isn't available for your WordPress site, sorry). The downside to using a Download manager is that bigger files, in the order of dozens to hundreds of MiB, might fail to download as the entirety of the file has to be downloaded through PHP.

You need to consider your use case and decide if it makes sense to limit access to files.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Summer vacations: Our support will be closed for replies and new tickets from August 6th to August 21st, 2022 due to summer vacations.