Restrict direct access of external plugins

[hellor0bot]

Hey,

Thanks a lot for the awesome TGMPA!

Just wanted to know if there's an easy way to restrict direct access to plugins hosted externally.

I tried using HTTP_REFERER and creating .htaccess like this:

    RewriteEngine On
    RewriteBase /

    # allow these referers to passthrough
    RewriteCond %{HTTP_REFERER} /wp-admin
    RewriteRule ^ - [L]

    # deny everything else
    RewriteRule ^ - [F]

But it returns Forbidden when trying to install from the wp-admin too.

Any hints?

[jrfnl]

@hellor0bot Glad to hear you like TGMPA.

I'm not sure what you mean by your question.

Do you want to restrict access to plugins on an external server you manage ? If so, you could use a PHP script on that server to fetch the file from a hidden directory and serve it as a download, but that's something way out of the scope of TGMPA. You may want to look at something like https://github.com/YahnisElsts/wp-update-server for that.

Or do you want to restrict access to plugins you ship with a theme/plugin ? So that only the person who bought/installed your theme/plugin can use these from their install and they are hidden from download by people who stumble across the url ?

In that last case, you should be able to restrict access by using either of the following (mind only works on Apache servers and even then might depend on server configuration):

# In a .htaccess file in the folder for your theme/plugin
<Directory /relative/path/to/pluginzip/directory>
 Order Deny,Allow
 Deny from all
</Directory>

# Or in a .htaccess file in the directory which holds the zip file(s) themselves:
<FilesMatch "\.zip$">
 Order Deny,Allow
 Deny from all
</FilesMatch>

Both of these should allow the system/php user still access to the zip files to install the plugin, but prevent accessing these files directly by external visitors.

Does that help ?

[hellor0bot]

@jrfnl, thank you very much for such a quick response.

Unfortunately, it's not exactly what you specified :)

I'd like to restrict direct access to plugins hosted on my server. The only possible way to download them is via TGMPA included into our theme. The plugins should not be accessible via a direct URL.

The thing is that these plugins are only hosted on our webserver but they're developed by a third party. That's why I don't want to change them and change their update method by including an update script, like the one you gave as an example.

As far as I'm concerned, the only possible way for such restriction is mod_rewrite in .htaccess, but I can't get it to work :(

Maybe you know any other way or how to make the .htaccess restrict access according to my requirements?

I don't need ultra protection, just to check that the request source is from a Wordpress dashboard on any domain and to make the file inaccessible directly, i.e. when typing the URL directly in browser.

[jrfnl]

@hellor0bot The script I pointed you to is not an update script, but an application you can run on a server where you host your plugins. While this may not be exactly what you are looking for, the code in that repo could serve as inspiration on how to serve those plugins. You can also have a look at this article which is referenced from it's readme: http://w-shadow.com/blog/2013/03/19/plugin-updates-securing-download-links/

Other than that, your question is out of the scope of TGMPA as it has nothing to do with TGMPA.

[hellor0bot]

Thanks, anyway! @jrfnl