How can I protect my Download Folders?

Introduction

There are a variety of ways of protecting a directory from unauthorised downloading.  The following notes descibe the solutions  but it is only the last one that gives full protection.  But it also creates a restriction when dealing with media files!
In general if a file is 'not chargeable' in say points or other mechanisms then the combination of the first two methods pus the Joomla! Access and Permission features are an excellent defence.

In this article two out of the three available protecton method use what is known as an '.htaccess' file.  This file is used by the web site to enable control of many aspects, including access protection.  It is not necessary to become familiar with the details of an .htaccess file except to understand that if there is an .htaccess file in a directory then the "commands" apply to the files in that directory and those files in the entire chain all the following sub directories.     So typically an .htaccess file is placed in a root directory.
However an .htaccess file may be placed in one of these subdirectories to apply further conditions or to modify conditions set in an earlier .htaccess file.

Include index.html file

One of the simplest methods of protecting a directory and its contents is to include a file called either index.html or index.php.  With this method if one makes a direct access to the folder then the browser will 'execute' the index file.

When a new Category is created by jDownloads then an index.html file is automatically inserted in the directory.  The contents of this index.html file are typically as below

<html><body bgcolor="#FFFFFF"></body></html>.

If executed this causes a white page on the screen.

Disallow "Indexes" using .htaccess file

Another scheme is called the "Indexes Option" which, despite its name, has nothing to do wth the index file; the Indexes Option allows or prevents the contents of a directory being listed as an index of its contents.

Most web site hosts have the Indexes option deactivated as the default.  But sometimes it is activated so visitors can browse to the download folders and see the files.

The Indexes option sets whether someone can "browse" the directory or not.

If Indexes are allowed, and the directory does not have either an index.html or an index.php file, then a browser will show the contents of the directory just like your filemanager would do as shown in the example opposite. 

It simply shows the directory contents as a list with links to the actual file.  That is they can be downloaded by the browser.
protect02A
To disallow Indexes create a file in the jDownloads root folder with the name .htacces and include in it the single line:
          Options  -Indexes
Note  The default Joomla! .htaccess file includes the above option in the root of the site so all directories then have this level of protection.  Follow the instructions in Global Configuration - Site tab - SEO section - "Use URL Rewriting".  This involves renaming 'htaccess.txt' to '.htaccess'.  Sometimes the native file system will not carryout the renaming as it expects a 'filename' before the 'extension'.  In such a situation renaming is readily done using an FTP utility such as File Zila.

Deny Access using .htaccess file

The above methods are effective but only if the user does not know the full filepath and file name of the file.  If the user knows that information then a browser will still be able to download the file.

For example if the user knows that a file called test.mp4 is stored on www.mysite.com in directory /dirA/subdirB then by loading www.mysite.com/dirA/subdirB/test.mp4 into a browser then that file can be 'stolen'.

The need to protect files from being 'stolen' is obviously very important for those sites which are effectively 'selling' the file, and also where there may be some degree of confidentiality involved. To prevent this jDownloads is able to add a specific .htaccess file into your jDownloads root folder.  This file then only allows php files on the site to access and download the file.
This is actioned by using the jDownloads V4 button options- V4 button optionsV4 tab security tab and setting field 'Protect your Download Directory' to Yes as shown in the image opposite.  If the setting is set to No then the .htaccess file is removed.protect03
There is however a special situation when related to video or audio files.

jDownloads recognises that in a Download with a media file if you have not provided a  'preview' then it will show the full media file from the normal download area.  Importantly, jDownloads does not copy the media file to the preview directory.  This is to both save space and also allows actual pre-views to be shown.
To protect your files and allow downloading subject to any criteria such as points, password or similar the set the options as noted below.
  •  in button control panel button options -tab global settings set 'Send Downloads using the PHP Script' to Yes;
  •  in V4 button control panelV4 button options - tab securityset 'Protect your Download Directory'  to Yes;
  •  in button control panelV4 button options -V4 tab security set 'Activate Hotlinking Protection' to Yes.
With the above settings then to show an example of either an audio or video you need to add a preview file when you create or edit the Download See Adding a Preview (opens in a new window/tab) for more details on adding audio and video previews.

Do not use the full media file as browsers allow the file being played to be downloaded!

ColinM, April 2019 modified June 2023

Print Email

We use cookies

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.