james david low

live / work / play / worship

Private Files

Ok, latest wordpress plugin. I’m getting quite into these. The other two were modifications. This one is completely from scratch. There are several plugins to make a blog private, making it a good tool for basic collaboration / group ware. However file attachments / images have still been visible too the public, until now.

Private files acts as a proxy, making sure users are logged in before they can download any files. The nice thing about is, it doesn’t modify the current uploads at all, doesn’t store files in a different place, so if you want to stop using it, all links to files stay the same, so you don’t need to redo anything.

Download it here: http://wordpress.org/extend/plugins/private-files/

If you have deactivated the plugin or deleted it and you want to unprotect your files manually, just delete the .htaccess file within your wp-content/uploads directory.

As with most wordpress plugins, the security is not guaranteed, use at your own risk.

Change Log:
0.40
Added MS Office 2007 mime types
0.39
Enhancements to block URLs with /../ in them
0.38
Bugfix which prevented logged in subscriber users from accessing files.
0.37
Now accounts for spaces in file names
0.36
Shows a warning if you are not using WordPress permalinks
Should work on a wider variety of WordPress setups (subdirectories etc.), but uploads must be a subdirectory of your WordPress directory.
Should work with relative and absolute upload paths
Tested on the latest version of wordpress
0.35
Now uses raw file() read instead of echo, which should clear up issues on some setups.
0.34
Bug fix so this actually works under various wordpress conditions, eg. root and not root installations of wordpress
Tested with wordpress 2.5.1


If you found any of the software useful, please consider supporting its further developement by donating.
9:22pm / Jan 28th / 08
« T-Shirt Gifts iPhone HK »

80 Comments

    I’m getting an error when I try to activate the plugin:

    Parse error: syntax error, unexpected ‘{‘ in /www/pathto/plugins/privatefiles.php on line 31

    12:30am / Jan 31st / 08 BGH Quiz

    try redownloading / uploading the plugin. i just tried the latest version (0.3) from wordpress and it worked fine for me.

    12:40am / Jan 31st / 08 James Low

    No, of course it’s still the same problem, the file is not corrupted. Most likely it’s a PHP-problem, maybe you’re using a tag that does not work with PHP 4.4.7.

    1:43am / Jan 31st / 08 BGH Quiz

    You could be right, I’m only testing on PHP 5. I’ll give PHP 4 a test and get back to you.

    10:32am / Jan 31st / 08 James Low

    Thank you very much. I’ll be checking back.

    11:58am / Jan 31st / 08 BGH Quiz

    Ok, done a quick update to version 0.31, and should now work with PHP4

    10:12pm / Jan 31st / 08 James Low

    Thank you! I’ve managed to install it now. =D

    11:56pm / Jan 31st / 08 BGH Quiz

    great, let me know how it goes, this plugin is only a few days old, so it will probably need some issues worked out…

    12:00am / Feb 1st / 08 James Low

    After enabling the plugin and protecting my files, I find I cannot download files even after I have logged in. The plugin seems to not be intercepting the 404 error, since I’m always redirected to my 404 page.

    I’ve disabled all other plugins to make sure I had no conflicts. Any suggestions? Dreamhost is my web host — do you know of any code in the plugin that might be incompatible with their php setup? I’ve run into that once before…

    Thanks!

    8:21am / Feb 25th / 08 Scott Beyer

    Hi scott, my blog is hosted on dreamhost, so it should work with yout setup. The first thing I can suggest is makes sure you have enabled rewrite rules in wordpress. For example this post has a virtual url: http://jameslow.com/2008/01/28/private-files/

    If you’re using wordpress with urls like:
    http://www.myblog.com/?p=123
    It won’t work.

    12:26pm / Feb 26th / 08 James Low

    Thanks James. Good to know the host isn’t the issue. I am using permalinks the same way you are. I’ll keep exploring, and will let you know if I find the culprit.

    12:17am / Feb 27th / 08 Scott Beyer

    Firstly, THANKS!
    I’ve been searching for a plugin like this for a long time.

    Can files be downloaded only by right-clicking links?

    Are you going to develop the plugin further? Do you have a roadmap? Hope you do.

    jak

    6:33am / Mar 8th / 08 jakfolio

    Hi!

    Can the plugin be modified so that only a specific group of Login/Registered Members e.g. Contributors can view the private files?

    Thanks!

    ~ Melba

    5:12am / Mar 9th / 08 Melba

    Hi Jakfolio / Melba,

    Currently there is no roadmap, though it does sound good to be able to have users of a certain level access files, and it would be possible to implement. I’ll let you know if I ever add that feature.

    J

    8:37pm / Mar 9th / 08 James Low

    Hi, I tried this plugin on an wp-mu install but couldn’t get it to work, I guess it is because mu uses its own rewrite rules for the upload directory. Any ideas on how to get it to work?

    6:20pm / Mar 12th / 08 Manne

    Hey everyone, just to let you know there’s a new version out with an option to allow only users above a certain level to do few files.

    Manne,
    Never used wp-mu, it very could be because of the rewrite rules in the upload directory. It may be possible to make them work together, but I don’t see it in the near future.

    6:38pm / Mar 12th / 08 James Low

    Hi, I think it’s a great plugin and right for what I searched so long. But one issue: I created custom roles with role manager, but your plugin assumes that there are still the default roles. I protected files with user access level “All”, so any logged in user should see the file, right? But it doesn’t work. My user has level 5 with custom capabilities and cannot see the file. Only the admin does. Would it help to reestablish the default roles?

    8:41pm / May 1st / 08 Thomas

    hi,
    what do you mean by “root is using .htaccess authentication?
    My Apache server supports it, but I have no .htaccess. Do I just need to add that file/

    but then what do I put in that file?
    Do I need to specify a string of text that will redirect to the WolrdPress authentication from the database, instead of looking for a password from the user?

    Every time I install your plug-in I find that the folder to protect ends up being protected… by the .htaccess files, and thus I need to provide 2 passwords…

    Also I am using WP-Multilingual and when I set up the Permlink, I can only use the full links… the redirections from root fail.

    12:37am / May 14th / 08 mathieu

    I have a problem, it seems that plugin doesn’t process 404. A link to file is like “www.mysite.com/wp-content/uploads/2008/04/myfile.mp3″ and I get nothing. No page and no file.

    When plugin is off and files unprotected – download starts, when is on – nothing.

    I use latest version of wordpress for today.

    12:12pm / May 21st / 08 roma

    hmm… interesting… when protected – no file, when unprotected – downloading ok. .htaccess is in its place in both cases. So, it seems plugin is processing 404.

    But what then? Any ideas?

    12:16pm / May 21st / 08 roma

    Ok, realised there was a few problems with this plugin. I’ve released a new version that has been test with wordpress 2.5.1

    4:41pm / Jun 10th / 08 James Low

    love the plug in – but it killed my rss feed! Any clues to why that would happen?

    3:53am / Jul 2nd / 08 Michael

    hmmm, I’m not sure, are you using allow categories as well? because that will disable your rss feed or just show titles depending on your settings.

    sites that i used this plugin on are still working in rss feeds.

    10:27am / Jul 2nd / 08 James Low

    I am using the Private WP plug-in. The blog is live – I dont want to mess with it until tonight – but I will send you the errors on the feed once I can get to them. Thanks for your response!

    9:51pm / Jul 7th / 08 Michael

    Hi James,
    I stumble upon your lugin, and it seems to be the perfect one for protecting files!
    I just had few questions:
    – Will it protect all folders and sub-folders within the wp-uploads folder?
    – Do you need only one .htaccess ?
    – there are no difference between files uploaded from Wp or by ftp with your plugin ? (i mean your plugin will not make a difference, right ?)

    thanks a lot!

    Sebastien

    11:46pm / Jul 10th / 08 Sebastien

    Yep, this plugin will protect sub-folders because the .htaccess rules apply to all sub-folders until apache detects another one. And yes it should work the same for files uploaded by FTP or wordpress.

    This plugin is offered for free though, and I can’t guarentee it is 100% flawless.

    8:54am / Jul 11th / 08 James Low

    I am getting the following errors when I try to protect my files. Any help would be appreciated. Thanks.

    Warning: mkdir() [function.mkdir]: No such file or directory in /home/theeslbl/public_html/litconn/corporate/wp-content/plugins/private-files/privatefiles.php on line 164

    Warning: fopen(/home/theeslbl/public_html/litconn/corporate//home/theeslbl/public_html/litconn/corporate/wp-content/uploads/.htaccess) [function.fopen]: failed to open stream: No such file or directory in /home/theeslbl/public_html/litconn/corporate/wp-content/plugins/private-files/privatefiles.php on line 168

    Warning: fwrite(): supplied argument is not a valid stream resource in /home/theeslbl/public_html/litconn/corporate/wp-content/plugins/private-files/privatefiles.php on line 169

    2:13am / Jul 22nd / 08 Jon Meek

    OK, so I fixed the errors that I mentioned above. The problem was that my uploads directory was in a sub-directory of the blog root. Once I Moved the uploads dir to the root, the files would protect fine.

    Now, the problem I am having is that when the files are protected, I cannot see the files at all and I get a 404 error. This is the same problem that Scott mentions above.

    4:26am / Jul 26th / 08 Jon Meek

    Thanks for solving at least one of your problems. Sorry I’ve been a little busy and can’t look at it right now, but I will try and make the plugin work under more settings.

    12:28am / Jul 28th / 08 James Low

    Hi James, my problem right now is the same that Jon have. I have my blog running on http://www.master-fundraising.it/areastudenti, ,mod_rewrite is ok, .htaccess is in the uploads directory, but when I activate the plugin it seems not to work as Jon said.
    Thanks for your plugin, it really helps. ciao francesco

    3:17pm / Aug 1st / 08 francesco

    [...] the post revisions from 2.6. I use wordpress on some intranet pages along with allow categries and private files to control access to sensitive information. The new revisions work great because in a world of [...]

    hey I am having the same problem. I reinstall a 2.51 with the plugin but still no luck. any help? Thanks

    12:06am / Sep 11th / 08 Graham

    Hi! firstly, thanks for a great plugin, it’s a really elegant way of solving quite a common problem. Is there a way that your plugin can be file type specific? Because, for example, if a person creates a post which is for public consumption (i.e. loggin in is not necessary) with images in, your plugin does not allow the images to be loaded.

    So, is it possible (probably adjusting the rewrite rule in the .htaccess I would guess) to specify files which are allowed – i.e. .jpg, .gif, .png, .bmp files will be allowed, but all others wont be…

    Or alternatively you can specify which file types to block, so if a post/page has .doc, .pdf, .xls files attached to it, a person has to be logged in to download them…

    Great plugin btw!

    3:27pm / Sep 16th / 08 Richard Tape

    As a follow-up to my post above I have re-written the .htaccess file as follows:

    RewriteEngine On
    RewriteBase /wp-content/uploads
    RewriteRule \.(gif|jpg|png)$ – [L,NC]
    RewriteRule . /afilethatshouldnotexist.txt
    Options -Indexes

    which now allows for those 3 image types… hope this helps some people and perhaps you, James.

    3:53pm / Sep 16th / 08 Richard Tape

    Hey,

    Richard, sounds like a great idea, after creating the .htaccess file with the plugin, you could edit it to do what you want, as private files won’t recreate it unles you tell it to. I’m busy with other work though, so adding it as user configurable option won’t be added too soon.

    For those of you with problems, paid work is stopping me from looking at them in detail. Sorry :-(

    James

    3:54pm / Sep 16th / 08 James Low

    Oh, I posted before your 2nd comment, thanks Richard !!!

    3:56pm / Sep 16th / 08 James Low

    Has anyone managed to get Private Files working with WordPress 2.6? I realize that James doesn’t have time to devote to that right now, but was just wondering if anyone else out there might be looking into the changes required to support 2.6.

    1:27pm / Sep 18th / 08 Nelson Yount

    Hey Nelson,

    I have it working on all my 2.6 based blogs, so the problems that are coming up are something specific to the setups people have, that’s why its really hard to spend the time doing it, because I’d have to do a lot of work with them trying to see what was going wron on their setup.

    James

    9:42pm / Sep 18th / 08 James Low

    James,
    I have mine working now also. The fix was two-fold. First I had to modify our GoDaddy-hosted site configuration to actually produce real 404 errors, rather than the GoDaddy default error page.

    Next I found that the .htaccess file that Private Files was generating in my uploads directory had lines like the following, in spite of the fact that my WordPress installation is in a “/word” subdirectory rather than the root of our site:

    RewriteBase /wp-content/uploads
    RewriteRule . /afilethatshouldnotexist.txt

    Manually modifying those lines to read

    RewriteBase /word/wp-content/uploads
    RewriteRule . /word/afilethatshouldnotexist.txt

    fixed the problem, but I haven’t yet figured out the problem in the code that caused it to be generated that way.

    3:02am / Sep 19th / 08 Nelson Yount

    Spoke too soon…

    Things are working fine when I use Firefox, but there is something about the headers or content being produced by the private_file() function that IE 7 does not like. It appears to perform the download of the complete file, but then either finishes without displaying any new content in the browser window (in the case of PDF files), or with a “Could not open ” error (in the case of Excel files).

    6:31pm / Sep 19th / 08 Nelson Yount

    James :) at first… thanks for your plugin!

    I have this idea. I hope you can help me.
    I would to block another folder. I’m thinking to let me users to see images… and I would to protect just some file.

    So I’ll put these few files into another folder… but how can I protect a different folder from UPLOADS?

    Thanks in advance :)

    9:13pm / Oct 14th / 08 Ciro 3d

    [...] Private Files [...]

    [...] Private Files [...]

    I am trying to use your plugin in conjunction with Social Access Control. In this combination, control of access to posts and pages works perfectly but I cannot get Private Files to work. I also tried their variant on your plugin Private Files for Social Privacy and get the same results. When Protected is enabled I can cause a blank page to be displayed or by tweaking things cause a “looking for something that is not here” page.

    I also tried the manual htaccess change suggested in these comments to change the paths to the specific directory structure /word/wp-content/uploads and the other. Those changes generate the traditional missing page error message.

    There were some comments about changes required by host servers. This site is hosted on 1and1.com.

    Does anyone have any suggestions or avenues of inquiry I could follow?

    11:58pm / Mar 11th / 09 Glenn Caleval

    [...] plugins to make a blog private, making it a good tool for basic collaboration / group ware… …..read more Download Plugin! Plugin Owner: James Low Homepage: Visit Plugin’s Website Version 0.35 | [...]

    I made two small changes to the plugin code for it to work on a shared GoDaddy hosting account:

    1. Line 214, change
    if ($pos != ”) {
    to
    if ($pos !== ”) {

    Type equivalence testing was required.

    2. Line 212, private_upload_path was returning the full path to the upload directory rather than relative to root, so you’d end up with $upload having the value like this:
    /home/content/x/y/z/xyz/html/wordpress/wp-content/uploads

    when you really just want $upload to have this value:

    /wordpress/wp-content/uploads

    So, use str_replace to eliminate the unecessary path info and you’re good to go.

    2:46am / Mar 24th / 09 Tim Charles

    Hi James,
    i tried to install your plugin on WP 2.6.2.
    but i’m not sure what i doing wrong.
    After aktivating Your plugin and uploading some files they are alway protected (404).
    here
    http://domain/wp262/wp-content/uploads/2009/03/image1.png
    and also in a post i cant see any image.
    it does no matter if im logged in or not the uploads folders is always protected.
    what do i wrong. can u help? thx

    5:42pm / Mar 30th / 09 mike_m

    [...] lots of shite involved there though.  Private Files [...]

    I am building a WordPress web site that may require a modified version of Private Files, that secures individuals files based on the individual user. Would you be interested in me hiring you to modify the plugin?

    Thanks,
    ~randy

    3:28am / May 15th / 09 Randy

    James —

    What’s to keep a person from guessing the URI of an uploaded file and going there directly? That’s fine with me if the user is logged in — but can a user do that who’s not logged in?

    Incidentally I knew Dawen Wang in high school. Tell him I said hi if you talk to him. Small world!

    Thanks,
    Benjamin

    1:03am / Jun 16th / 09 Benjamin Wolfe

    Randy, sorry a little too busy at the moment.

    Ben, how the plugin works is it intercepts using a .htaccess file before a user can download a file, and checks if they’re logged in. If they are logged in the file contents will be streamed by the plugin, if not nothing will be sent. Even if a non-logged in user guesses the URI the plugin intercepts this query so should not be able to access it.

    Its not been extensively tested for all security holes though, so a little disclaimer I’m not responsible for any loss due to the use of this plugin.

    Oh, you knew Dawen, were you in Sha Tin College too?

    8:27am / Jun 16th / 09 James Low

    Thanks James, maybe I’ll give it a whirl.

    I went to Lexington High School in Lexington, MA. I knew a Dawen Wang there… I imagine he’s the same one.

    Regards,
    Benjamin

    10:19pm / Jun 16th / 09 Benjamin Wolfe

    Am working on http://www.infantsandchildren.net/employee/

    Like Tim Charles, the file stays protected no matter what. I tried :

    @ Line 212, Used str_replace to eliminate the unecessary path info as suggested in a previous post.

    When the 404 message displays, the URL in the address bar displays the exact URL of the file called for so everything seems to point to the correct place.

    Have tried with WP 2.7 and 2.8

    Help! Please!

    6:28am / Jun 19th / 09 Donna Dunn

    Working on a site for my church and want to password protect the weekly bulletins and newsletters from being downloaded. However, I am having a similar problem too others above – even if I am logged in – if I mark the files as protected, I still can’t download the files. If I unprotect everything then I can download them. I am using the newest version of wordpress…I have godaddy hosting – any thoughts on what I need to do? Am I supposed to create the htaccess file myself or does that plugin do that for me? Thanks for your help…

    9:13am / Jul 3rd / 09 Joe

    One more tidbit for the post above – I was able to get this to work for everyone but contributors….it won’t work when I apply a role of subscriber to a user though. Any way to fix that? Thanks again…this is a great plugin!

    11:02am / Jul 3rd / 09 Joe

    I’m trying to install this plugin, but my status never changes from unprotected. No matter what I do, I can’t get it to protect the file. Any help?

    7:10am / Aug 13th / 09 Travis W

    There’s a new version out. if you were having problems before, try it, might fix them for you.

    11:19pm / Aug 17th / 09 James Low

    Hi,
    first thank you very much for this plugin – i just started 1 day ago with my first steps in WP… to make the website secure i needed exactly this little tool! SUPER!

    Well just to let others and maybe you know: After installing the Plugin i was unable to watch the content of the blog (background, header, widgets, e.t.c) so i figured out that i needed to put the .htaccess not into the wp-content folder – but in the subfolder for real private content (in my case ist wp-content/2009/……).

    That way the “theme” content is not blocked if your not loged in ;)

    I hope this helps maybe you or other users for this wonderful piece of software!
    (Or maybe this is just bullshit and i’m too new and unexperienced at WP).

    Anyway, thanks!

    8:25pm / Sep 16th / 09 Paul K.

    Hi James,

    Is there any way to protect a folder other than the uploads folder? This would be very useful.

    Thanks!

    10:40pm / Sep 16th / 09 CyberSNAC

    as a follow up. I think I’ve found the code that does the protecting and inserts the .htaccess file. It won’t let me insert it here.

    Can anyone advise how to alter this for a custom path? Or to just add a custom path so that the plugin protects both the uploads folder and an additional folder?

    11:02pm / Sep 16th / 09 CyberSNAC

    Is there any way to use same time protected files and public files from medialibrary.
    Also when you upload files can you select if it is public or protected?

    2:22am / Sep 24th / 09 dispco

    I have the same problem with 404 message display. I notice that:
    When I use the plugin in a domain with multiple wordpress installations, it doesn’t work if the protected site is on a subdirectory and the wordpress is also installed in the root directory.
    If there isn’t wordpress installed in the root the wordpress installations are wording.

    4:57pm / Oct 9th / 09 Panagiotis

    [...] On peut le télécharger ici. Et voici la page sur ce plugin chez James David Law. [...]

    Is it possible to change path into html (root)
    /wp/wp-content/downloads ? Tis is also the path in .htacees. At the moment the plugin doesn’t work with this path.

    1:27am / Dec 29th / 09 Ramona

    I use this plugin but when user click on attachment receive follow error:

    Warning: strpos() [function.strpos]: Empty delimiter in /public_html/wordpress/wp-content/plugins/private-files/privatefiles.php on line 211

    Could you help me?
    Thanks

    8:03am / Jan 8th / 10 Marco

    Hello,
    I was hoping you could help me with the following error:

    Warning: mkdir() [function.mkdir]: Invalid argument in D:\Inetpub\localuser\PhoenixHN\phoenixonline\wp-content\plugins\private-files\privatefiles.php on line 162

    Warning: fopen(D:\Inetpub\localuser\PhoenixHN\phoenixonline\wp-admin/D:\Inetpub\localuser\PhoenixHN\phoenixonline/wp-content/uploads/.htaccess) [function.fopen]: failed to open stream: Invalid argument in D:\Inetpub\localuser\PhoenixHN\phoenixonline\wp-content\plugins\private-files\privatefiles.php on line 166

    Warning: fwrite(): supplied argument is not a valid stream resource in D:\Inetpub\localuser\PhoenixHN\phoenixonline\wp-content\plugins\private-files\privatefiles.php on line 167

    5:41am / Jan 13th / 10 Christopher

    Hi James,

    Is this plugin compatible with WordPress 2.9.2? I’m getting this error when installing, activating, and trying to access an uploaded file. I’m logged in at the time:

    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator, webmaster@xxxx.xxx and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.
    Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.5 with Suhosin-Patch Server at xxxx.xxxx.xxx Port 80

    If I deactivate, I can get access to the file.

    Thanks,

    Jeff Miller

    6:21am / Feb 21st / 10 Jeff Miller

    Hello, James:

    First of all, thanks for the plugin, it usually works very nice… but after migrating my blog to another server, I’ve found the same problem as Jeff Miller (above).

    It only happens if I activate the “Force user login” option, otherwise it works OK. The only apparent difference between both servers is that the new one has different server names for HTTP and MySQL (not “localhost” for the hostname in wp-config.php).

    Thanks in advance,

    Raul

    7:05pm / Jun 21st / 10 Raul

    Hello again, James:

    It seems that commenting out line 354:
    // header(“Status: 302 Moved Temporarily”);
    solves the problem I’ve commented above…

    Thanks again for your plugin!

    Raul

    2:51pm / Jun 22nd / 10 Raul

    I installed to WordPress 3.0 and it promptly shut down my entire site, giving me a 500 error. Every page was this way: Posts, pages, wp-admin, etc.

    After some poking around, I deleted the .htaccess file (which was placed in the blog’s root directory), which gave me access to the wp-admin and site index, but not to Pages or Posts.

    After more poking around, I was able to restore correct operation by adding a new .htaccess file to the root directory with the following (taken from another WordPress blog):


    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    It appears that your plugin removes this line from the .htaccess file, but it is necessary for correct operation. Perhaps the .htaccess file is supposed to go somewhere other than the root directory? I will poke around some more to find out.

    3:58am / Jul 9th / 10 Tobias

    I haven’t tried it on 3.0 yet so maybe it doesn’t work on that.

    The .htaccess file my plugin creates should go in the wp-uploads directory. Maybe wordpress 3.0 changes how you find out what that is.

    I’ll have a look sometime too.

    7:06am / Jul 9th / 10 James Low

    It would be great if you could take a look at making this work with WordPress 3.0…

    6:03am / Jul 29th / 10 tony

    Will try and test and see why its not working on 3.0

    3:28pm / Jul 31st / 10 James Low

    Is anyone able to make the plugin work with WP3?
    I am trying but having trouble with function apache_request_headers().

    4:59am / Aug 10th / 10 Eric

    Hi.
    I wonder if its possible to protect more than one Uploadfolder (I am using WP 3 with Multisite enabled and need the possibility to protect the other uploads folders too.)
    Kind regards,
    Max

    5:34am / Sep 16th / 10 herrmax

    Hi James

    I have followed the instructions in the plugin, but when I click ‘Protect’ nothgin changes, the cp still says ‘Unprotected’.

    Can you suggest why this may be?

    Thanks

    5:52am / Oct 14th / 10 ghostcorps

    Thanks it works as I would like it to work!

    2:51am / Mar 4th / 11 Mudfooted

    I got it to work in WP 3. In privatefiles.php, find

    function private_upload_path() {
    $raw = get_option(‘upload_path’);
    return (substr($raw,0,1) == “/” ? substr(private_upload_fullpath(),strlen(private_root())+1) : $raw);
    }

    Change the +1 to +2.

    The protect button in the CP may put the.htaccess file in the wrong place (root, don’t do it).

    Make your own .htaccess file containing the following and manually put it in the wp-content/uploads folder on your server.

    RewriteEngine On
    RewriteBase /
    RewriteRule . /afilethatshouldnotexist.txt
    Options -Indexes

    2:40am / Aug 27th / 13 rlamfink

    Strangely, it seemed to work for a few minutes, then not. Sorry for the false alarm.

    3:09am / Aug 27th / 13 rlamfink

    Ok, I think I got it now.

    In privatefiles.php, in the two places you see
    get_option(‘upload_path’)
    change it to
    “wp-content/uploads/”
    including the quotes.

    Then go to the Private Files CP and choose a level and click Protect. It should place the .htaccess file properly now.

    8:19pm / Aug 27th / 13 rlamfink