Hi @jhmonroe,
This is because WordPress’s wp-content/uploads directory is publicly accessible by default on most web servers, and it isn’t explicitly related to Forminator.
Trying to block the files will also prevent the admin from viewing them. However, I’ll bring this to our Forminator team’s attention to see if there are any further improvements that could be considered down the road for this feature.
Forminator does add .htaccess files under /wp-content/forminator folder, you can add custom .htaccess rules to block the files, ie, for example:
https://wordpress.stackexchange.com/questions/390795/using-wordpress-logged-in-to-restrict-direct-access-to-uploads-folder-in-2021
Regards,
Nithin
Hey! Thanks for your reply. Yes I worked with Claude to write some code that recursively protects any subfolders that are created. I found that (as you mentioned) this also had the effect of preventing the forminator CSS folder from being read.
The link you sent says that method does not work or prove anything and can be faked.
I will wait for your dev team’s opinion since perhaps only they can come up with a strong solution that is enacted by the plugin, is able to check against the database when someone is in the admin, and have a toggle to enable the extra security measure.
In the meantime, I am testing adding an htaccess rule to ONLY the uploads subfolder for the active form I’m working on (this will not automatically add to future form subfolders):
# Deny all access recursively
<FilesMatch ".*">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</FilesMatch>
As you noted, this does prevent downloads of the files from the Forminator Submissions page (via the attachment links) as well. It seems to still allow the automated email notification after submission to send the attachment as an attachment on the email.
This could be something good for your devs to test/confirm as well since it offers a good solution.
If such a toggle existed in the admin, it could also be applied so that only admins are allowed to download submissions.
Hello @jhmonroe
You are on the right track, however, using the .htaccess codes will not be enough for the issue because it will block everyone from accessing the directory and files, it needs a PHP script in combination with some custom code to handle the different users’ access.
Our team will probe the possible solution; however can’t give you any promises or ETAs about the implementation.
Kind Regards
Amin
Hello @jhmonroe
I believe this could bring good benefits to the plugin and we already forwarded this thread as a feature request to our developers, we can’t give any estimated time or guarantee it is going to be implemented but I hope we can consider it in a future version.
I also suggest subscribing to our roadmap and receiving updates about our products https://wpmudev.com/roadmap.
That said, this was already forwarded to our developers and I am marking this thread as resolved, but if you have any additional questions, feel free to let us know.
Best Regards
Amin
