WooCommerce makes it really easy to sell digital content online. Whether you’re using DRM or not for your content, it’s best to not have a publicly-accessible link to your files. This article gives you a step-by-step process you can follow to create a WooCommerce secure download the proper way.

By default, WooCommerce will hide your files behind a link that looks like:

https://www.sellwithwp.com/?download_file=1820&order=order_51f6957&email=test@mailinator.com&key=5386bf4df1cf3e6c

This allows you to limit the number of times a file is downloaded and how long a download link should be active for. But what if some nefarious customer follows the redirect from the download link and discovers that your files are actually stored out in the open under the wp-content directory? They could easily post the link and anyone could simply download the file. There’s an easy way to prevent this from happening and to secure your WooCommerce downloadable files. Here’s the process:

Steps to WooCommerce Secure Downloads:

  1. Connect to your website via FTP or SFTP and browse to where your WordPress files are. You should see files like index.php, wp-config.php, etc. This is your “webroot” and any files stored here or in sub-directories are (mostly) publicly-accessible by default, unless you’re using .htaccess rules.
  2. Browse to the folder above your webroot and create a folder named “downloads”. Upload all your downloadable files into this directory. Within your FTP client, you should see an option to copy the full path. In Transmit on OSX, it looks like this:Sell with WP WooCommerce Secure Download Transmit copy path
  3. Log in to your WooCommerce store and browse to the Edit Product page. Change the “File Paths” section from the old URL to the path you just copied: Sell with WordPress WooCommerce Secure Downloads Edit Product Page
    Hit save and you’re done.

That’s it! Repeat this process to secure all of your WooCommerce downloadable files and place a test order to make sure you don’t encounter any errors. Once you’ve done this, you can delete the old files stored in your wp-content/uploads directory. The format of your links won’t change at all and there’s no visible difference to the customer.

Cover Photo Credit: Perspecsys.com (CC BY-SA 2.0 license)
Articles you may also like:

Posted by Max Rice

Max Rice is a frequent Sell with WP contributor and cofounder of SkyVerge. He develops eCommerce plugins for WordPress, and specializes in WooCommerce development. He likes writing articles about random WordPress and eCommerce topics.

23 Comments

  1. This is really great advice. I was looking for this exact answer. I wondered if I was going to have to pay for some kind of expensive plugin to protect my files. nice little trick and I love how easy it is. Thanks for sharing.

    1. No problem, we’re glad it was helpful!

  2. Aren’t the files still accessible from the outside if you follow the redirect? I would think they’d have to be otherwise the downloads wouldn’t work. It seems like you just moved them to a directory outside of the WP installation but still accessible to the public if they discover the URL. Mod X-Sendfile was recommended to me as an alternative but I have not gotten around to setting it up.

    1. They shouldn’t be when placed outside of your webroot, as Apache/Nginx won’t be able to serve them but PHP can. If you have access to mod-x-sendfile then it’s best to use that πŸ™‚

      1. Good to know. I’ll give it a shot, thanks.

  3. Hi,
    It didn’t work with the ordinary way for my download files so I tried above and this not either work. So I contacted my hosting company who said that there probably need to be some special permission for this folder on the server, is it like this?

    I haven’t deleted the upload folder because I thought maybe the hosting company could fix something can this be a problem?

    Thanks

    1. The folder and files inside need to be readable by your web server and PHP processes, otherwise this won’t work. You can ask your hosting provider to help you set those proper permissions πŸ™‚

  4. Thank you, Max… I tried to find the information that you have shared here at Woocommerce and just didn’t see it if it was there. I’ll try this. Signed up for your newsletter and posts! My Christmas list is growing. πŸ™‚ I’ll try to give back, Lordwilling my site produces giving to me. Thanks again. Laura

    1. welcome! glad to hear it was useful πŸ™‚

  5. Hi Max,
    Thanks for the advice but I’ve tried a few things and I’m now more confused than anything. My files(hosting) structure is as follow:
    – WordPress files are in “wp” folder
    – Above this I have “public_html” folder (Which I would think is my “webroot”)
    – Above this is another level which I’ll call “hosting root” for now.
    I’ve tried to move the downloadable files in a folder both under “public_html” as well as my “hosting root”. When the folder is in public_html anyone can access the files if they know the url (like mysite.com/assets/myfile.pdf) so no secure downloads here. When I place the folder in my “hosting root” the url can only use the IP (like 202.50.170.160/assets/myfile.pdf) and the link is treated as a ftp link, trying to connect to the hosting server.

    I thought I could control the access to the folder using permissions or maybe .htaccess file but I’m not sure what to use.
    Do you have any idea what I’m doing wrong or how I could fix my problem.
    FYI I’m using a WP multisite install but I don’t think this would change anything.
    Thanks

    1. Making a folder in your hosting root (like “assets”) should work fine. If you have SSH/command line access or SFTP/FTP access you can use that to navigate to that assets folder and either use `pwd` to show you the full directory path, or your FTP client may be able to display the full path. That path (+ the filename) is what you want to enter in WooCommerce for the filename. hope this helps!

  6. Fletcher Bumpus July 2, 2014 at 11:06 pm

    hi Max,

    I seem to be having trouble getting this to work correctly. I’ve created a folder that is outside the wwwroot folder (generically speaking) named ‘Download,’ made sure it had read permissions for public, and copied a sample file there. I’m using Windows and FileZilla, and couldn’t find anywhere that let me get the full path for the file, but I assumed it was /Download/filename.zip. I put this entry in the file paths section as mentioned above, saved and tried it – kept getting a 404. I’m hoping this is enough information, but is there something I’m missing?

    Thanks for your input – great article!
    -Fletch

    1. Hmm, you might have to ask your hosting provider for assistance with that — they should be able to give you the full path to your wwwroot — then you could just remove that and add your “download” path which should work πŸ™‚

  7. Hi Max.
    Thanks for your post! I’m really looking forward for a solution to secure my downloadable products.
    At the moment, using “Force Download” is not an option because users cannot complete big files downloads.
    My server does not have mod_xsendfile.
    The only option is “Redirect only”.
    Absolute path does not work with this option.
    Could there be another solution for that?
    What if we use .htaccess to redirect to a php file before hitting the download file to check the purchase?

    1. Hey Renan, if you have large files for users to download mod_xsendfile is really your best option. I’d look into a hosting provider that will be able to add that module for you rather than hack together a .htaccess rule to a PHP file πŸ™‚

  8. Thanks Max, I was having troubles with the files being publicly available, but this has fixed it for me πŸ™‚

  9. Thanks for great advice and useful instructions! I have done everything above and simulated purchases in my shop, and everything works just fine, until the downloaded product is corrupt and void of all data. Why is that? I have tried different paths to my folder, or to each specific product, and the only time the download wasnΒ΄t corrupt, was when I used the ftp://xxxxx_master/etc. link to the folder; but then I had to use my password to the master FTP to get access to the product – and thatΒ΄s nothing I would want to hand out to customers πŸ™‚

    Currently I use the Linux path to the folder, and doing so I enter the path to each specific product in the folder. This works fine in every step of the purchasing process, until it shows that the product is corrupt and contains no data. Can it have something to do with my site being under SSL encryptation? I have checked the respective categories rights in the “downloads” folder and I can see nothing that not looks right there. The file type in question for both purchase and testing is PDF-documents.

    1. It sounds like it may be a hosting issue if the PDF file is corrupt. I’d ask them if they have any restrictions in place on the filesystem which might be causing the corruption πŸ™‚

  10. First: thanks for reply and consideration of my problem!

    Second: I contacted my host provider, and they told me my the corruption is due to server restrictions. The only folder that could come in question for such downloading purposes would HAVE to be under my “public_html” folder – no place else. The solution I was presented, is to create a “downloads” folder under my “public_html” and use an .htaccess file where I specify conditions for what and whom is allowed access to the folder.

    The issue I now face is: How do I specify the script so I allow WooCommerce to link a download from that folder – since the links generated from a purchase I suppose are temporary? How do I link to that folder in WooCommerce so access is granted?

  11. Hello Max,
    It’s really helpful article as others, thank you.
    I just a bit confused that article is best way for me or not.
    I would like to sell a magazine but not monthly, yearly or whatever subscription, just one time payment . I just want to that when the customer buy a magazine immedietly redirect a new tab and see the readable PDF not download PDF. And also when customer buy a magazine after then can access other magazine issues.

    For example : I’m a customer. I click the Buy item any magazine on shop page after redirect to me if I pay this item to a new tab and i read PDF on the new tab so i saw a link on last page the PDF. The link says” You can access other issues when click this link i can read other magazine issues.

    How can I do that ? This article help with me ? πŸ™‚

  12. Hi Max,

    Thank you for this powerful tip. I successfully implemented it in one of my woo commerce stores. I hope this will help me reduce the black downloads :/

    Anyways for those of you who don’t know how to get the absolute path to the file, follow this guide – http://bogdan.org.ua/2007/04/30/how-to-find-absolute-path-on-a-web-server-using-php.html

  13. Hi,

    Thanks for the wonderful article! I was able to make it worked on our site but we encountered 1 problem:

    When we set File URL value to=d:/hostingxxx/xxx/downloads/file.xxx, on save the field value is reset to http:// but the file can be downloaded. The next time you save the product and didn’t set again the value then the file will be empty. Any idea why?

    Thanks.

  14. Thanks for this awesome guide. Are there any WordPress plugin available with advance functions for this purpose?

It's been over 2 years since this post was published, so comments have been closed. Thanks for reading!