How to block direct access to files or folders on NGINX

The Apache web server is almost obsolete, and we need to use NGINX or LiteSpeed webserver to speed up our website.

Due to WordPress Permalinks limitations, most hosting companies have to use LightSpeed Web Server instead of NGINX. Of course, LightSpeed is not free.

If you want to make sure your web server is NGINX or not, go to Tools > Site Health, and then you can view your web server.

If you have a high-traffic website and want to host that website on an entirely dedicated server, you can use NGINX as your webserver. Troublesome but fast!

NGINX and EDD security issues

One of the problems with NGINX is the lack of access to the .htaccess file. So you have to enter your configurations directly in the /etc/Nginx/Nginx.conf file.

When you use the NGINX web server and install the Easy Digital Downloads plugin on your WordPress website, everybody can access your downloads folder. For example, someone can download all your files.

To test this, you have to type this address in your browser:

http://yoursite.com/wp-content/uploads/edd/downloadname.zip

Enter your site address instead of yoursite.com and the name of the download file instead of downloadname.zip.

If you get a 403 or 404 error, access to this file is naturally limited. But if the file is downloaded, your web server settings have a security problem, and you have to solve it.

If you are not a server administrator, send this article to your server administrator. 🙂

Restrict access to the EDD folder

To restrict the direct downloads in EDD, you must log in to your Linux server SSH. Then open the /etc/Nginx folder. With this command:

cd /etc/nginx/

Now open the Nginx. conf file with this command.

vi nginx.conf

Finally, it would help to look for a server section in this file. The server block belongs to your domain. Your domain is listed after the server in the following line with the server name variable.

And paste this code into this section. It does not matter at which part of this block this code is placed.

location /wp-content/uploads/edd { deny all; return 403; }

Now save the Nginx.conf file. Then restart the Nginx web server with the following command.

service nginx restart

Just as easily 🙂 If you type the file address directly in your browser, you will encounter error 403. This means that no one has access to the files, and your website can download the file and make it available to the user.

Good luck.

2 Comments

  • nauv says:

    Hi, simple but awesome solution, thanks.

    In my case I used:

    location /wp-content/uploads/2022
    {
    deny all; return 403;
    }

    and it works, direct downloading of the files is not allowed, but I need to use the files from the directory in a script to emulate games.

    For example:

    EJS_player = ‘#game’;
    EJS_biosUrl = ‘https://***/wp-content/uploads/2022/neogeo.zip’;
    EJS_gameUrl = ‘https://***/wp-content/uploads/2022/kof94.zip’;
    EJS_core = ‘arcade’;

    With blocking the script doesn’t work because it needs direct access to the url. How to use the url in the script at the same time that I cannot allow the direct download of the zip files? I thank you in advance for your help.

  • Leave a Reply