The Case of a Constantly Rewritten .htaccess File

frog-mascot

There was a recurring problem with a .htaccess file on a website I help manage. The website’s e-shop is set up by using the excellent WordPress plugin called Easy Digital Downloads. A fair amount of tweaking was necessary to get all the features required by the site owner to work.

By default Easy Digital Downloads (EDD) has the following .htaccess rules created for the folder where all downloadable files need to be located:

Making PDF Files Accessible

One of the very early problems I had to address was that the website sells PDF documents — a format not listed in the above rules. That was quite easy to fix, as I simple replaced jpg|png|gif|mp3|ogg with pdf.

Disabling Sub-Folder Browsing

I also added All to the first line, so that it read Options All -Indexes — this rule disables the browsing of all sub-folders to the folder where the .htaccess file is located. This step was necessary because each downloadable PDF file was located in its own sub-folder.

However, when the website owner uploaded a new product, i.e. a new PDF document to sell, the rules got rewritten back to the default values.

Tweaking the Theme

So I added the following code to the site’s theme’s functions.php file:

The ForceType and Header rules force all browsers to open a Save File dialog window instead of opening the PDF file within the browser.

Forcing Files to Download, Not Open in Browsers

This was a very important step because the links to the downloadable PDF files are constant. So if a PDF file would open within a buyer’s browser, the direct link to the PDF file would be revealed and that link would work not only for the buyer but also for anyone else.

Just to be sure, I also added the same rules to the .htaccess file:

I was very unhappy when the website owner notified me that the downloads were not working again. The .htaccess file was back to its default settings…

At that point I was getting quite mad but just to be sure I double-checked the whole process in my mind. A visitor comes to the site’s e-shop, puts the product to the shopping cart, fills out the form, pays via PayPal, PayPal confirms the transaction to EDD, EDD generates a link specifically for the buyer (not the directly accessible link to the downloadable PDF file), and the buyer gets this link to his or her email inbox (or spam folder). Once the buyer clicks on the link, he or she is redirected to the file but instead of showing him or her the file’s URL address, a Save File dialog window opens. Beautiful! — except for the fact that it doesn’t work.

So I went back to the basics and checked all .htaccess files superior to the EDD folder’s .htaccess file. There were no .htaccess files in the above folders. There was only one in the root folder of the whole website. But there was nothing special about it, no weird settings at all.

Locking All .htaccess Files

Anyway, I decided to add the following rule to the .htaccess file located in the root folder:

This rule locks all .htaccess files in the whole installation, i.e. in all sub-folders of the root folder. So no .htaccess file can be rewritten by anyone but the website’s owner.

And ta-da, this solved the whole case. The EDD download folder’s .htaccess doesn’t get rewritten anymore and the PDF downloads are working as they should. Sometimes the simplest tools can solve the most complicated problems.

Update (October 28, 2014)

Just to make extra sure, I also changed the default code within the upload-functions.php file of EDD (beginning on line 153 in version 2.1.8):

This way, even if EDD would disregard the update of the theme’s functions.php file, it would still use the same rules for the .htaccess file.

For harder locking of all .htaccess files, upgrade your root folder .htaccess file with the following rule:

This rule will make sure that all files beginning with .hta (without regard to letter case) will not be accessible to anyone but you.

Liked this post?

Subscribe to our newsletter to receive early notification of new posts and deals:

Next Post »« Previous Post

Leave a Reply

Your email address will not be published. Required fields are marked *