Prevent Direct Access to WooCommerce Digital Product Files

Problems

Many online business owners feel shocked when finding out that their WooCommerce digital product files are being indexed by Google. Worst still, these private files can be directly accessed by anyone...

Apparently, all business owners and online product sellers only want people who have purchased a product to have access to their unique download link and product files. In other words, these files should not be accessible to the public and unpaid customers.

What's more, the customers should not be able to share their download link with others. They must log into their account and download the digital files.

Here are some problems with how WooCommerce digital products work at the moment:

  • WooCommerce digital product files are being indexed by Google and other search engines just like any other file uploads on your WordPress media library
  • WooCommerce only protect files uploaded under “Products” - if you choose an existing file on your media library, it will not be protected
  • WooCommerce protect downloadable product files using a very simple .htaccess rule which does not work for NGINX and Windows servers
  • There is no proper authentication check from WooCommerce. If someone somehow can bypass the .htaccess rules, they can just access your paid digital files directly for Free

Is Amazon S3 a solution?

Yes and no. Many people thought uploading their digital products to Amazon S3 would help. Unfortunately, it turns out all file uploads to Amazon S3 are not only indexable by Google and other search engines but also accessible to anyone no matter how ugly and complex the file URLs are.

Amazon S3 Files Indexed By Google
An Amazon S3 file is indexed and appears on Google search result

Proposed Solutions

#1 Use Prevent Direct Access Gold

  • Protect your WooCommerce digital product files from being indexed by Google and accessed directly by unwanted users
    • You can selectively choose to protect only paid product files
    • The rest of the files are still accessible and indexable by Google for SEO purposes
  • Specify which users (admins, logged-in users or customers) can access your protected files. Prevent Direct Access Gold enhances WooCommerce protection of their product files with proper authentication and permission checking no matter you're using Apache, Nginx or IIS (Windows) server.
    • By default, WooCommerce will assign your users as "Customer" after purchase. So you can set the File Access Permission of your product files to "Customer" user role after upload.

#2 Integrate the Gold version with the S3 extension

Once you sync or offload your protected files to Amazon S3, our extension will set the file permission to private. In other words, no one is able to access your product files directly as there is no public Amazon S3 URL anymore. As a result, your digital product files won't be indexed nor appear on Google search result either.

The only way to access these files is by using Amazon Signed URLs generated by our extension (through your provided APIs). And only your paid customers will be able to do so after purchase.

Challenges

Our customer also wants to utilize both Amazon S3 and CloudFront CDN for his website. Typically, your CloudFront distribution whose origin is set to the Amazon S3 bucket will have access to all media files hosted on the bucket.

That is to say, even if you set the permission of certain Amazon S3 files to private (with no public Amazon S3 URLs), people could still access your private protected files through the CloudFront domain (or CNAME). Though our plugins don't expose CloudFront URLs of your protected files, some people could still find out these URLs through your website requests.

That issue requires us to separate protected and unprotected files hosted on Amazon S3 bucket into 2 folders with 2 different permissions. You should then point the origin of your CloudFront distribution to the public folder instead of the entire S3 bucket. Once pointed properly, your protected files will be in safe hands.

This change also allows you to use the same bucket for multiple websites.

Potential Improvement

Another problem with WooCommerce comes from guest purchases who are not required to log in to download the digital product files. As a result, they could simply share their download link with others after purchase.

Tracking IP addresses?

One solution to this problem is to log the customer's IP addresses after purchase. Our plugin will then compare this IP address with those on the customer download log provided by WooCommerce and notify the website admin of suspicious activities. As a consequence, any suspicious attempts to download your product files could be blocked if necessary.

Check out our WooCommerce integration extension which restricts IP access to both your product files and customer's order page.