ok. I just figured out from older posts that according to Jason, URI request restriction only applies to WordPress “content” and not files.
Then URI is not a workaround. Now, the question is:
1. is it safe to use the full s2member-files path to call restricted files or is the whole security deal implemented with the /?s2member_file_download=filename.html calling.
ie is it safe to point to a restricted address with a static URL: http://www.mydomain.com/wp-content/plugins/s2member-files/filename.html ? is it safe to reveal the full path (wp-content/plugins/etc…) to the whole world even though they must be logged in to access it anyway?
2. I’m an intermediate PHP developer, would I be able to move the s2member-files folder to something like this (www.mydomain.com/restricted-files)?