https://89393b0c.nuvai-blog.pages.dev/tags/security/ Recent content in Security on Luis Sousa Blog Hugo en Sat, 07 Mar 2026 12:10:00 +0000 https://89393b0c.nuvai-blog.pages.dev/posts/protecting-edd-downloads-from-url-guessing/ Sat, 07 Mar 2026 12:10:00 +0000 https://89393b0c.nuvai-blog.pages.dev/posts/protecting-edd-downloads-from-url-guessing/ <p>We sell digital products on <a href="https://joyofexploringtheworld.com/" class="external-link" target="_blank" rel="noopener">joyofexploringtheworld.com</a> using Easy Digital Downloads. By default, EDD stores files in <code>wp-content/uploads/</code>—the same directory as every other WordPress upload. That means anyone who can guess the filename can download the file directly, bypassing purchase validation entirely.</p> <h2 id="the-problem"> The problem <a class="heading-link" href="#the-problem"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>EDD download URLs contain a token that validates the purchase. But the actual file sits in a publicly accessible directory. If someone guesses or discovers the file path (e.g. from a cached CDN URL or a predictable naming pattern), they can download it without paying.</p>