Introduced in WooCommerce 6.5, Approved Download Directories lets administrators define a set of trusted directories in which product download files must be stored.
While this feature has been enabled by default for any new sites since 6.5, those that have been running WooCommerce before 6.5 might be missing out on some of the security benefits it brings.
Who is this for?
If you are selling downloadable products on your site, you’re probably making use of the default location to store most of those files (uploads/woocommerce_uploads) or have other means of distributing the files (such as cloud storage). No matter what approach you’ve chosen, making sure that WooCommerce only serves files from authorized locations (be it inside the filesystem or from an external URL) protects both your customers and your server.
This is particularly relevant on multi-user setups, where you might have a reduced number of administrators, but possibly multiple users with shop manager role that have the ability to edit products and upload files or URLs to downloadable products. In such environments, it’s important to ensure that files and URLs point to known locations (which also protects from typos, for example) and that neither users nor shop managers are able to access files from outside of those designated locations (for example, server files outside of woocommerce_uploads/ or URLs that haven’t been intentionally approved beforehand).
How does it work?
As an administrator, you’ll find Approved Download Directories inside WooCommerce â–¸ Settings â–¸ Products â–¸ Approved Download Directories.
To get the benefits from this feature, click Start Enforcing Rules at the top and use the list to manage the locations, by adding new ones or enabling/disabling existing ones.
Things to keep in mind:
- Rules applying to a particular directory also apply by default to sub-directories.
- Any directory not explicitly included in the list is assumed disabled.
- This list will be kept up to date as products are updated with (possibly) new download URLs, but those locations will not be enabled by default and might need administrator approval.
- Approval is not required for locations resulting from administrators updating products, so be extra careful in such cases. Even then, any auto-approved rules can be later disabled as needed.
- Depending on when this feature was enabled, the list might be missing some paths already in use. You can always trigger an initial scan by using the Synchronize approved download directories tool inside WooCommerce â–¸ Status â–¸ Tools to remedy this situation.
- Users will be prevented from downloading files belonging to their purchased downloadable products unless those files are in one of the allowed directories.
Why is this important?
Enabling Approved Download Directories is an important security measure that helps prevent potential vulnerabilities related to file access. By restricting downloadable products to specific approved directories, you reduce the risk of unauthorized access to sensitive server files.
For store owners who set up their shops before WooCommerce 6.5, we strongly recommend reviewing your download directory settings and enabling this feature to enhance your store’s security posture.
If you want to learn more about Approved Download Directories, please read our documentation.
Leave a Reply