Deny access via .htaccess file but still allow downloads from purchase


I am working on an ecommerce site for digital products.
I want to protect my digital products by denying access to that folder via the .htaccess file.
but i dont know if this will interfere with the process of buyers downloading their purchases.

any suggestions?

Generally, file access is controlled by putting the off-limits files up above the publicly accessible public_html folder and then controlling access with scripting like PHP. I have seen, infrequently, HTTP authentication used to control file access. Not the best option. All depends on which way you want to go. I am assuming you will be selling and controlling access by using a database to determine which files a particular user has access to. Right?

I’m doing this is wordpress using the wp-estore plugin, so it will be using the wordpress database, yes.

A common method (I believe) is to place the files, say, deep within a folder structure on your site where no one would ever be likely to find it, or use a 3rd party site for storing the files. Then, once a purchase is made, users are given a generated gobbledygook URL to the resource that doesn’t identify the actual location and that expires after a certain period, so that the link can’t be passed on to others. As far as I know, all carts that include digital downloads will do something like this. So you just need to find a cart for selling downloads. It could either be a WP plugin or a totally independent, 3rd party provider, like FastSpring or Ejunkie. (There are tons of options out there.)

The best place for files like this is somewhere outside the web root so it’s not accessible directly at all, but only through a script that checks if the user actually has paid for the thing. Indeed, through some kind of token system.

The plugin i am using (wp-estore) dynamically generates a download link to prevent hot linking, so that part is already taken care of, but the plugin is not set up (as far as i can tell) to find files above the web root. if it will do this, i have no idea how to write the path to the files.

In that case put the file in a directory with a .htaccess file with the following contents:

deny from all

that makes sure none of the files in that directory can be accessed directly via Apache, in case anyone ever finds out the real location of the file.