Protecting Content Outside of WP/S2Member

I discovered a content protection breach today – when I Googled one of our pages, I came to a .PHP page that we use as a part of our site for displaying the results from the database.

http://barbangerz.com/data-vm.php

Once here, if the user clicks on the download link to the file in the s2member-files folder – it downloads automatically. Whereas inside the wordpress framework/ the website – the non-paying member would be redirected to the subscribe page.

This is a HUGE ISSUE!

How can I prevent this from being accessed?

Hello Tony,

This would probably be fixed if you made some .htaccess rules, which would only allow s2Member to access it, and nothing else.

Hope this helps. :)

Not sure how to do that, Eduan. Can you help or point me in the right direction?

Hi Tony,

You should add this to the top of your PHP page, right underneath the <?php&#91;/hilite&#93;:

[hilite pre_code]
if(!defined('ABSPATH'))
exit('Do not access this file directly');
[/hilite]

By doing this, your file will check to see if WordPress loaded with it, and if it didn't, it will not load. :-)

<blockquote>
This would probably be fixed if you made some .htaccess rules, which would only allow s2Member to access it, and nothing else.
</blockquote>

If you'd like to do it this way, make sure that your file(s) are within their own directory, and within this directory create a .htaccess file with this in it:

deny from all


That blocks access to anything within the directory :-)

Keep in mind that using either of these tips will cause the file to not be able to be accessed. You’ll need to require() or include() the file to see its’ output from now on :-)

Bruce,

Thank you. To so confirm, because we load this page dynamically through AJAX, I need to use include(data-vm.php) in my php/AJAX call of the .php file in question?

I have a tight window to do this tonight – so I want to make sure I do it right and not screw things up for our members.

Thank you!

• This reply was modified 4 years, 2 months ago by  Tony Schwartz.
• This reply was modified 4 years, 2 months ago by  Tony Schwartz.

Hi Tony,

Thank you. To so confirm, because we load this page dynamically through AJAX, I need to use include() in my php call of the .php in question?

Ah, I didn’t realize you were actually showing users this page through AJAX. In this case, I would definitely take a look at the info Raam Posted here on protecting content outside of WordPress:

http://www.s2member.com/kb/protecting-non-wordpress-content-with-s2member/

This way, your AJAX requests won’t fail when JavaScript tries to load the page. Just make sure to protect the file with something like this near the top of the page:

include_once 'wp-load.php';
if(!current_user_can('access_s2member_level1'))
	exit('You don\'t have access to this.');

Thank you for this. The only problem is – when a visitor to our site logs on to view the site – we can’t show them any of the downloadable content as the conditional of being a member is not met and they only see “You Don’t Have Access To This”

Example: http://barbangerz.com/genres/rb vs. any other genre page. On the R&B page, you can’t see the middle section, but on any other genre page – that is what you should be seeing.

Is there a way to hide just that download link using the wp-load.php code above?

Fixed – just used the include_once ‘wp-load.php’; line.