This document outlines the security measures and best practices for protecting files.
The following measures aim to prevent:
- Unauthorized access to protected files
- Bypassing user roles and access restrictions
- Directory traversal attacks and direct file access
- Abuse by automated tools or mass access (DoS)
- Application-layer vulnerabilities (e.g., XSS, CSRF)
- Violations of data protection regulations (e.g., GDPR)
-
File System Level
- Files stored outside the WebRoot
- Strict permissions
- No direct URL accessibility
-
Web Server Level
.htaccessprotection- PHP execution disabled
- Redirects to
check-access.php
-
Application Level
- WordPress authentication
- Role-based access control
- Session management
- XSS protection (escape HTML output)
- CSRF protection in forms (e.g., token usage)
-
Transport Layer
- HTTPS encryption
- Secure cookies
- Chunked downloads
-
Folder Structure
/secure-files/ # Main directory (755) ├── config/ # Configuration folder (755) │ └── secure-config.php # Configuration file (644) └── [role-folders]/ # Role-specific folders (755) -
Permissions
- Folders: 755 (drwxr-xr-x)
- Files: 644 (-rw-r--r--)
- Executable files: 755 (-rwxr-xr-x)
-
Protection Measures
- No PHP execution
- No directory listing
- No direct downloads
-
.htaccess Rules
# Disable PHP execution <FilesMatch "\.php$"> Order Allow,Deny Deny from all </FilesMatch> # Disable directory listing Options -Indexes # Redirect to check-access.php RewriteEngine On RewriteCond %{REQUEST_FILENAME} -f RewriteRule ^(.*)$ check-access.php?file=$1 [L,QSA]
-
PHP Configuration
display_errors = Offlog_errors = Onerror_reporting = E_ALL
-
Rate Limiting and Abuse Protection (optional)
- IP-based request limits via middleware or web server (mod_evasive, Nginx limits)
- Access counters per IP using session context or Redis
-
Authentication
- WordPress login required
- Strong password policies
- Session timeouts
-
Access Control
- Role-based permissions
- Folder-based restrictions
- No role escalation
-
File Handling
- MIME type validation
- File size restrictions
- Chunked downloads
- No storage of IP addresses or personal data without legal basis
- Log file access restricted to authorized administrators
- Automate deletion of old logs (e.g., after 30 days)
-
Secure Settings
define('DEBUG_MODE', false); // Disable debug mode define('CHUNK_SIZE', 4194304); // 4 MB define('MAX_DIRECT_DOWNLOAD_SIZE', 1048576); // 1 MB
-
MIME Types
- Define only allowed types
- Exclude executable files (e.g., .php, .exe)
- Use documented and verifiable formats
-
Regular Checks
- Review permissions
- Analyze logs
- Apply updates
-
Backup Strategy
- Regular backups
- Encrypted storage
- Separate locations
-
Monitoring
- Access logs
- Error logs
- Performance metrics
- Folders located outside the WebRoot
- Correct permissions for files and directories
- No executable files in the download directory
- HTTPS fully configured
- Debug mode disabled
- Access only via
check-access.php
- User roles correctly assigned
- Defined access structure per role
- MIME types restricted to safe formats
- Appropriate chunk size configured
- Download limits set (size and number)
- Security headers active
- PHP error output disabled
- Regular updates of WordPress, PHP, and plugins
- Log file analysis and rotation
- Regular permission reviews
- Backup plan tested and documented
- Monitoring enabled (errors, access, performance)
- Old logs deleted in compliance with data protection laws
-
Immediate Actions
- Isolate the system
- Secure the logs
- Revoke access credentials
-
Analysis
- Identify root cause
- Assess impact
- Document the incident
-
Recovery
- Clean the system
- Apply updates and fixes
- Reconfigure access
In case of security incidents:
- Notify the system administrator
- Provide relevant logs
- Document the incident
%%{ init: { "theme": "default" } }%%
flowchart TD
A[Incident Detected] --> B[Isolate System]
B --> C[Secure Logs]
C --> D[Revoke Access]
D --> E[Analyze Root Cause]
E --> F[Assess Impact]
F --> G[Document Incident]
G --> H[Clean System]
H --> I[Apply Updates & Fixes]
I --> J[Reactivate System]