這個外掛並未在最新的 3 個 WordPress 主要版本上進行測試。開發者可能不再對這個外掛進行維護或提供技術支援,並可能會與更新版本的 WordPress 產生使用上的相容性問題。

Private Uploads

外掛說明

‘Private’ uploaded files (PDFs, images, etc.) will normally be only included in private posts and pages. But the files themselves can still be accessed by anyone if they know the corresponding URLs.

For example, a PDF file’s URL might be

http://example.com/wp-content/uploads/minutes-20160924.pdf

and anyone could download that file because WordPress does not get a chance to check their authorisation.

The solution that the Private Uploads plugin uses involves moving any private files to a separate folder, and then configuring the web server to ask WordPress to authenticate access to files in that folder.

So the file’s URL might now be

http://example.com/wp-content/uploads/private/minutes-20160924.pdf

and an HTTP server rewrite rule will convert this to

http://example.com/?pucd-folder=private&pucd-file=minutes-20160924.pdf

The Private Uploads plugin will intercept that URL and reject it with a 403 status code.

This plugin is more efficient than some similar ones because it only has to run when serving files in the private folder(s): the web server handles other uploaded files (ones not in the private folders) directly.

Requirements

  • Sufficient access to the web server to allow the required configuration.

Acknowledgements

Future Plans

  • Currently, access to private files just depends on the is_user_logged_in() function. This plugin could be developed to give more fine-grained control, such as having a folder for each user.

安裝方式

Install the plugin in the usual way and activate it.

Move your private uploads (PDFs, images, or whatever) into a separate sub-folder within the WordPress uploads folder (usually /wp-content/uploads). One way of creating such a folder and moving the private files is by means of the Media Organiser plugin.

Then configure your web server as follows:

Nginx

Include a line like this in the server section of the Nginx configuration:

rewrite ^/wp-content/uploads/(private)/(.*)$ /?pucd-folder=$1&pucd-file=$2 break;  

The folder name ‘private’ can be anything you like — it just has to match the name of the folder where your private files are kept, and be enclosed in parentheses in the rewrite statement.

More than one private folder can be configured by adding more lines of the same form, for example:

rewrite ^/wp-content/uploads/(2017/secure)/(.*)$ /?pucd-folder=$1&pucd-file=$2 break;  

Apache

Enchiridion has supplied the following configuration for Apache. Thank you.

Here’s an equivalent rule for Apache to add to your existing rules:

RewriteRule ^wp-content/uploads/(private)/(.*)$ /?pucd-folder=$1&pucd-file=$2 [L]

Or you can copy/paste this entire block into your .htaccess file. Add before the # BEGIN WordPress block:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
# Block unauthenticated user access to the /private/ uploads folder
RewriteRule ^wp-content/uploads/(private)/(.*)$ /?pucd-folder=$1&pucd-file=$2 [L]
</IfModule>

Other web servers

are left as an exercise for the reader.

使用者評論

2019 年 11 月 18 日
Simple, works well, just perfect for me. Some tips: With the Plugin User Role Editor you can add a role like view_private_file and choose which user roles can access it. You can also redirect to a access denied page. Just modify in the Plugin file the function send_private_file like this: // Only return files to logged-in users if (!is_user_logged_in() || !current_user_can('view_private_file')) { header("Location: https://www.yoursite.com/access-denied"); die(); }
2019 年 2 月 26 日
Developer was helpful in answering my questions. Bluehost users will want to follow the Apache instructions.
2018 年 7 月 12 日
This is just the plugin I needed! No fluff, just does one thing and does it well. While it does work out of the box, there’s some hard-coded paths and other things in there that can’t be changed, so I’ve based a customized version off this plugin. For anyone who wants to use this with Apache, here’s an equivalent .htaccess rule: RewriteRule ^wp-content/uploads/(private)/(.*)$ /?pucd-folder=$1&pucd-file=$2 [L]
閱讀全部 3 則使用者評論

參與者及開發者

以下人員參與了開源軟體〈Private Uploads〉的開發相關工作。

參與者

將〈Private Uploads〉外掛本地化為台灣繁體中文版

對開發相關資訊感興趣?

任何人均可瀏覽程式碼、查看 SVN 存放庫,或透過 RSS 訂閱開發記錄

變更記錄

0.1.1

Tested with WordPress 5. Documentation tidied up.

0.1.0

  • First public release.