Private files are uploaded by default to a folder particular to each owner with a compllicated name. However, if someone knows the URL of a particular user file, he could download it without restriction. The reason behind this is that by default, the user folders are located in the wp-content/customer-area folder which is not protected.
If your web server is configured for instance to match the URL http://example.com/ to directory /var/www/httpdocs/wordpress then all the sub-directories will be accessible by default. For instance, http://example.com/wp-content/customer-area will reveal the content of the directory /var/www/httpdocs/wordpress/wp-content/customer-area.
You have two possibilities to protect this folder.
En modifiant l’emplacement des fichiers privés
You simply have to move your private files storage directory to a place that cannot be accessed by the web server. In the above example, you could move the directories /wp-content/customer-area/storage and /wp-content/customer-area/ftp-folder respectively to the locations: /var/www/customer-area/storage and /var/www/customer-area/ftp-folder.
They will then not be accessible anymore via a public URL starting with http://example.com.
Once those directories have been moved, you will have to indicate their location in the plugin settings under the Private files tab.
With a .htaccess file
This method is compatible with any version of WP Customer Area but requires an Apache server (will not work if the web server is Nginx for instance).
You can secure the folder by copying the file protect-downloads.htaccess included in our plugin’s extras folder to the plugin’s upload folders (it should be /wp-content/customer-area/storage and /wp-content/customer-area/ftp-folder).
Then you will need to rename that file as .htaccess so that your server takes it into account. You may need to adjust a few settings in the .htaccess file depending on your server setup. Please refer to the Apache documentation for htaccess files.