Protecting specific directories?

Nuroo · 11-14-2008, 07:23 PM

What is the best way to restrict access to directories of your choice? For example, when you upload a picture or any file in Wordpress it goes to the upload folder. If somebody wanted to, they can just type in the direct URL to the upload folder and then have access to everything in it. Same thing for the wordpress image folder. Does everybody use redirects? Or password protect? What's the most common or "professional" way to restrict access? Thanks all!

mr.joebert · 11-15-2008, 06:32 AM

It depends on how an application uses the files in that directory.

If the application outputs links directly to files in that directory, then your only real options are using something like the following in the folders htaccess file to prevent mod_autoindex from showing a listing of the files in there. This is assuming your setup is Apache and allows you the "Options Override" in htaccess.

Code:

Options -Indexes
ErrorDocument 403 "Access Denied

Or, adding a blank "index.html" for Apache, and for IIS "default.html" in the folder to prevent the indexing. Adding the blank HTML file will work just about anywhere, but it's not very good at explaining what's happening to the user.

Doing it one of those ways will keep the visitor from aimlessly browsing around in the content folders, they will need to know what they're looking for to access it. Password protecting the directories in this situation just doesn't make sense, because the appication needs to be able to direct legitimate visitors to the files in there.

However if the application is one that generally uses links similar to "file.php?file=123456" you can handle it in a few other ways, in addition to the ones above.

One would be to use CPanel to "Pasword Protect Directories" which will setup HTTP Basic Authentication (when the browser pops up a login window). You can consult the CPanel (or similar control panel) documentation about how to do that.

Another would be to modify for instance, htaccess in an Apache server, to deny from all by adding this to an (or the) ".htaccess" file in the folder in question.

Code:

Deny From All

that directive essentually tells the Apache server to do exactly what it says, deny serving requests from all who make requests.

Nuroo · 11-15-2008, 08:31 AM

I think I'll try the blank index page trick. By default, wordpress and my server does index every file in a directory and I don't want that obviously. I'm still pretty new to this but I will look into the httaccess suggestion also.

Nuroo · 11-19-2008, 03:03 AM

Ok, say I password protect my folder with all my images. The image directory is not even visible unless you put the complete URL, but it is used to store my template images like the logo, header, etc. So if I password protect that folder, will visitors still see my logo and header images on their browsers? Or will my page show up on their browsers with no images where the logo and header are supposed to be?

**ScriptMan** · 11-19-2008, 07:39 AM

Quote:

Originally Posted by Nuroo

Ok, say I password protect my folder with all my images. The image directory is not even visible unless you put the complete URL, but it is used to store my template images like the logo, header, etc. So if I password protect that folder, will visitors still see my logo and header images on their browsers? Or will my page show up on their browsers with no images where the logo and header are supposed to be?

Probably not. Meaning the images will not show because the script can not access the directory.

The blank index or one that says Forbidden is a better choice.

Nuroo · 11-19-2008, 01:44 PM

Quote:

Originally Posted by ScriptMan

Probably not. Meaning the images will not show because the script can not access the directory.

The blank index or one that says Forbidden is a better choice.

So redirects aren't usually used in these cases?

**~kev~** · 11-19-2008, 02:06 PM

Just create a simple index.html file and put it in the directory. If there is no index file google can scan the images in the directory and list them in its image search results. There is no real need to password protect an images directory if the images are viewable by the public. If you do that, the images will not be displayed.

At the top of the index page, put something like - "You may not view the contents of this directory or folder"

Place a link going to your home page, or your forum on the index page.

Put a 3 - 5 second redirect script in the header. I am using a 3 second redirect in my index.html pages.

So when someone tries to probe my images directory, they will get the index and can either click a link to go to the home page, the forum, or be sent to the home page after 3 seconds. So by the time they read what the page says, the redirect script sends them to the blogs home page anyway.

=================== EDIT =======================

Here is the code for my index.html file.

If 3 seconds is too long for you, change the content="3 to content="what ever number you want You can even set it to 1 second. And 1 second after hitting the images directory index file, the person will be sent to your home page.

<html>

<meta http-equiv="refresh" content="3; url=insert the address you want people sent to here">

<body>

You may not view the contents of this directory.

 

<a href="insert the address of your site here">insert the name of your site here</a>

 

 <a href="insert the address of your site here">insert the name of your site here</a>

</body></html>

**ScriptMan** · 11-22-2008, 04:47 PM

Why don't you just put a blank or forbidden index page in there and simply this whole mess?

**ScriptMan** · 11-23-2008, 03:44 PM

I must have missed one of the posts, I was only suggesting it for your image directory which is where this thread started.

Glad you worked it out to your satisfaction.