I just found out tha I have a wp-content directory that is open where you can see all of my files that I have on mysite- pdf's, jpgs, etc. Files that are meant to be for members only as well....all images uploaded etc. I was wondering if: a) Is there is any way to tell if anyone has been there and if they have downloaded any of my files? b) how do I close this directory?
Thank you!
I just found out tha I have a wp-content directory that is open where you can see all of my files that I have on mysite- pdf's, jpgs, etc. Files that are meant to be for members only as well....all images uploaded etc. I was wondering if: a) Is there is any way to tell if anyone has been there and if they have downloaded any of my files? b) how do I close this directory?
Thank you!
Share Improve this question asked Oct 31, 2018 at 12:55 ellaella 12 Answers
Reset to default 0A) The best you can do is look through server logs, if you have access to them. You would have to comb through the logs and you can then find what IP addresses have requested certain files. If any are from human visitors then yes, their web browser has downloaded the file to a cache. Most users aren't savvy enough to comb through their cache to save images but it is possible.
B) There are several steps to secure the folder.
Step 1: add a .htaccess file right in the /wp-content/ folder. All it needs to contain is
Options -Indexes
That way if someone visits http://example/wp-content/ they will not see a list of files to peruse. The file applies to this folder and any subfolders so you're covered from that angle.
Step 2: discourage search engines from indexing images. Edit your existing, or create a new, robots.txt in your root folder so it is available at http://example/robots.txt:
User-agent: Googlebot-Image
Disallow: /wp-content/
This will tell Google not to show any of the files in search results. You may also want to block other search engines - you'll just add multiple user-agents with the same rule.
Step 3: You should look into other membership plugins as ideally the membership plugin should control access to the files themselves. There are various methods to make the files only available through your server, such as actually moving the content to a folder outside the public html folder and then serving it via PHP, and it really depends on your plugin setup which method will work best, but it's simplest if the member plugin itself handles this part for you.
Make sure there is an index.php file in the wp-content directory that has the following code in it:
<?php
// Silence is golden.
That should fix your problem.