We are using WPForo and everything seems great so far. The only issue we've found is that if someone gets hold of an attachment URL then anyone can access an uploaded file without having to be logged in. I understand the files are stored within the WordPress media library and potentially this could be the issue.
Are these URL's supposed to require an active session by default? Or is there a mod to support this? Would wpForo Advanced Attachments fix this issue?
Cheers,
Matt
P.S. Please ignore the attachment, I am testing something.
Hi Matt,
I'm sorry but there is no an extra security functions in file attachment storing and displaying mechanism. All files are public like they are for WordPress other plugins and blog posts.. To make them non-public, we'll have to create a separate API and change image URs to .php files with GET variables like this:
.../attachment.php?attach=23&session=xdf8edshk4r
This kind of URLs are getting lots of conflict with WordPress Security plugins. The direct call of PHP files are blocked by Server and WordPress security systems. This will bring lots of problems on different websites.