Im a happy user of Easy Digital Downloads and I use it to sell all my plugins, but a month ago I found a security issue on my site that I would like to share( now that it’s resolved) so other people can protect their files.
Basically EDD uses htaccess file to protect downloads from unauthorized users but what happens when you use a Nginx server like I do? Well, short answer is nothing, your files are not protected at all.
So any smart guy with a bit of research could get your plugins for free. How to do that? Well, all files are stored in wp-content/uploads/edd
So if you have a simple changelog that indicates your plugin version and when it was released , someone could simple figure it out and go to wp-content/uploads/edd/2015/02/popups-premium-v126.96.36.199.zip and download your plugin for free.
To avoid that you need to add into your site’s nginx config file, inside the server directive the following code:
What I don’t like about this, is how EDD is treating the issue first mentioned in June 2014 and still not fixed or publicly mentioned.
A simple warning in the plugin telling you to update your nginx rules (like any cache plugin warns you to update your nginx rules manually) will do the trick.
The issue is important enough to take it seriously and we already learned the lesson that we shouldn’t keep updates or security issues in silent, and as much noise we make the better. I know this is not a security issue that will let attackers to take over your site, but I can’t make you loose some bucks.