Private files are uploaded by default to a folder particular to each owner with a complicated name. However, if someone knows the URL of a particular user file, he could download it without restriction. The reason behind this is that by default, the user folders are located in the wp-content/customer-area folder which is not protected. You have two possibilities to protect this folder, by changing that folder location (Apache or Nginx servers), or with a .htaccess file (Apache servers only).
A. By changing that folder location
This method is compatible with Apache or Nginx servers but differs depending on your version of WP Customer Area.
Step 1: Move the folder from FTP
Connect to your FTP and move the folders wp-content/customer-area/storage and wp-content/customer-area/ftp-uploads, to a location outside of your webroot directory. For instance, if your FTP structure is something like /var/www/mysite.com/public_html/wp-content/customer-area, you’ll need to move those folders outside of the public_html folder, in order to make sure that nobody can actually access it through its related URL from a browser.
So, to be secured, those folders could, for instance, be located in /var/www/mysite.com/customer-area-protected/storage and /var/www/mysite.com/customer-area-protected/ftp-uploads.
Note: don’t move the entire customer-area folder as it may also contain other subdirectories, such as the templates directory.
Step 2: Tells the new path to WP Customer Area
WP Customer Area 6.2 and above
The path to the file storage folder can be indicated in Settings > Private Files > File Storage.
WP Customer Area 5.0 and above
If you prefer to change that path programmatically, you can change the directory where files are stored using a filter in a code snippet:
function wpca_change_private_directory($original_dir) {
return '/path/to/my/own/directory';
}
add_filter('cuar/core/ownership/base-private-storage-directory', 'wpca_change_private_directory');
WP Customer Area up to 4.x
This method cannot be used.
B. Or with a .htaccess file
This method is compatible with any version of WP Customer Area but requires an Apache server.
You can secure the folder by copying (and renaming) the file /wp-content/plugins/customer-area/extras/protect-downloads.htaccess to /wp-content/customer-area/.htaccess.
Tip: On Windows, to rename a file to something starting with a dot, you need to add another dot at the end. So, rename the file to .htacess. if you are trying to do that on Windows, and the last dot will then disappear.