Im a happy user of Easy Digital Downloads and I use it to sell all my plugins, but a month ago I found a security issue on my site that I would like to share( now that it’s resolved) so other people can protect their files.
Basically EDD uses htaccess file to protect downloads from unauthorized users but what happens when you use a Nginx server like I do? Well, short answer is nothing, your files are not protected at all.
So any smart guy with a bit of research could get your plugins for free. How to do that? Well, all files are stored in wp-content/uploads/edd
So if you have a simple changelog that indicates your plugin version and when it was released , someone could simple figure it out and go to wp-content/uploads/edd/2015/02/popups-premium-v1.2.3.2.zip and download your plugin for free.
To avoid that you need to add into your site’s nginx config file, inside the server directive the following code:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #EDD + Nginx – protect your files | |
| location ~ ^/wp-content/uploads/edd/(.*?)\.zip$ { | |
| rewrite / permanent; | |
| } |
What I don’t like about this, is how EDD is treating the issue first mentioned in June 2014 and still not fixed or publicly mentioned.
A simple warning in the plugin telling you to update your nginx rules (like any cache plugin warns you to update your nginx rules manually) will do the trick.
The issue is important enough to take it seriously and we already learned the lesson that we shouldn’t keep updates or security issues in silent, and as much noise we make the better. I know this is not a security issue that will let attackers to take over your site, but I can’t make you loose some bucks.
UPDATE: Pippin popped in with amazing timing and left two links in the comments. EDD docs explaining how to protect your files and Github to track issue
Hi there,
Pippin here from EDD.
First of all, thank you for writing this. It’s exceptionally helpful both for us and for users alike.
Second, the issue has always been taken seriously. It’s not something we’ve ever intentionally ignored, but, unfortunately, it has been one that has been on the sidelines instead of the forefront simply due to the minute percentage of EDD users that use NGINX. As the number of NGINX sites has grown, however, we have worked on ensuring those users have a proper setup and are properly aware of the extra step that is necessary.
In EDD 2.3.3 (or perhaps earlier), users will have a notice displayed in their admin area if they are running NGINX: https://github.com/easydigitaldownloads/Easy-Digital-Downloads/issues/3226
We have also documented the necessary steps for those users: https://docs.easydigitaldownloads.com/article/682-protected-download-files-on-nginx
Should this have happened earlier? Yes. Did we intentionally ignore it? No. As with any large project, there is always a mountain of todo items to attack; sometimes ones we want to get resolved take longer simply because they are further down the list.
Thanks again for helping to highlight the issue and the solution.
Thanks Pippin, I totally share your coding style and that’s why I like and will keep using your plugins. As soon as I got your response on the forums I wrote this post to “make as much noise about it as possible” and warn other nginx users.
Thanks for taking the time to reply and providing new links
I really appreciate it. I’m also sincerely sorry it took so long to track it down but I’m glad we got there in the end.
Oh, by the way, the timing of your post is pretty incredible because the links I posted above were written today but before I was notified via a pingback of your post 🙂