Register Login

How to block direct access to uploads/edd folder on NGINX

How to block direct access to uploads/edd folder on NGINX
How to block direct access to uploads/edd folder on NGINX

As I explained in professional WordPress course. The Apache web server is almost obsolete and we need to use NGINX or LiteSpeed web server to speed up our website.

Most hosting companies have to use LightSpeed Web Server instead of NGINX due to WordPress Permalinks limitations. Of course, LightSpeed is not free.

If you want to make sure your web server is NGINX or not, just go to Tools > Site Health and then you can view your web server.

Now if you have a high traffic website and you want to host that website on a completely dedicated server. You can use NGINX as your web server. Troublesome but fast!

NGINX and EDD security issues

One of the problems with NGINX is the lack of access to the .htaccess file. So you have to enter your configurations directly in the /etc/nginx/nginx.conf file.

When you use the NGINX web server on your server and install the Easy Digital Downloads plugin on your WordPress website, everybody can access to your downloads folder. For example, someone can download all your files.

To test this you have to type this address in your browser:

http://yoursite.com/wp-content/uploads/edd/downloadname.zip

Enter your site address instead of yoursite.com and the name of download file instead of downloadname.zip.

Now if you get a 403 or 404 error, access to this file is naturally limited. But if the file is downloaded, then your web server settings have a security problem and you have to solve it.

If you are not a server administrator then send this article to your server administrator. 🙂

Restrict access to the EDD folder

To restrict the direct downloads in EDD, you must log in to your Linux server SSH. Then open the /etc/nginx folder. With this command:

cd /etc/nginx/

Now open the nginx.conf file with this command.

vi nginx.conf

Finally, you should look for a section called server in this file. The server block that belongs to your domain. That is, your domain is listed after the server in the next line with the servername variable.

And paste this code at this section. It does not matter at which part of this block this code is placed.

location /wp-content/uploads/edd { deny all; return 403; }

Now save the nginx.conf file. Then restart nginx web server with the following command.

service nginx restart

Just as easily 🙂 Now if you type the file address directly in your browser you will encounter error 403. This means that now no one has access to the files and your website can download the file and make it available to the user.

Good luck.

What is your comment?