17 Mar WooCommerce downloads folder open to the world? Check if your vhost is run on nginx.
Today I discovered that on some hosts (like my favorite, Cloudways) when a server is running nginx, static files like PDFs, images, ZIPs, etc, are served via nginx instead of Apache. Since .htaccess files are Apache instructions, nginx bypasses those directives and continues to host those static files regardless.
WooCommerce uses a .htaccess file with the contents “deny from all” inside the woocommerce_ uploads folder to prevent world access. This means that if you are selling downloadables like PDFs, as many of my clients do, those PDFs are open to the world by default. What’s worse, they can be crawled, and probably are, so they’re probably coming up in Google search results.
I have no idea how many thousands of dollars my clients have lost due to this problem, but I guarantee you, it’s a lot.
The only solution as far as Cloudways is to submit a support ticket that says something like “Please disable static files with the extension PDF and ZIP in the nginx vhost configuration for server with IP xx.xx.xx.xx”. I have advised them of the issue and hope they’ll take this into consideration and correct the issue for default configurations going forward. In the meantime, if you’re selling digital content through WooCommerce, double check that your downloadables aren’t accessible!
I’m pasting the chat conversation I had, just for record’s sake.
That’s working, but I think this is a systemic issue tied to cloudways setup. On other hosts the basic config works fine, you shouldn’t have to add extra rules to block that folder.
Like something in the VPS setup is not allowing the sub .htaccess files
Yes, you’re correct. This is because we are using nginx and Apache, static file types like jpg, gif,zip and pdf are served by Nginx and in which case Apache .htaccess rules are not applied so they have to be removed from nginx vhost.
Next time for any new application you can request this on chat or ticketing support.
I see. well that’s a problem, I have dozens of clients on cloudways and they all have the same problem.
For any client just provide their server IP and application folders, and share the file types to remove like PDF, ZIP, JPG
Is it possible Cloudways can change the default config for woocommerce applications at the time of setup? This is really bad and users have no way of knowing it’s happening.
Unfortunately it is not possible to change default config as it is part of our standard automation and configuration, sorry.
I will forward to our relevant team to add a support article explaining regarding it so customers are better informed and can contact support for help with it.