Secure the uploads directory

Last edited: 24/09/2020

The uploaded files will be saved in a custom folder inside the wp-content/uploads folder, called wcfu. Each file uploaded will be encoded with a 32 character string. However, there are still ways to gain access to these files publicly.

To avoid people accessing your files, you can protect the directory by adding Options -Indexes to your .htaccess file. It should look something like this:

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . / [L]
Options -Indexes

# END WordPress

Ensure you add it before the </IfModule>, not after.