
外掛標籤
開發者團隊
原文外掛簡介
Folio Gatehouse lets you protect files inside your uploads directory by restricting access to specific WordPress user roles. Files are served through PHP — the web server never delivers them directly — so direct URL access is blocked regardless of link sharing.
Key features:
Zone-based protection — define named zones (subfolders inside your uploads directory) and assign allowed roles to each
Custom denial screens — create HTML pages shown to blocked users, with full control over styling and messaging; separate screens for anonymous and logged-in users
Redirect on denial — optionally redirect denied users to any URL (e.g. a sales page or membership signup) instead of showing a denial screen
Login redirect shortcode — [rbfa_login_link] inserts a secure login link that returns the user to the originally-requested file after authentication, using an opaque token so no file path is exposed in the URL
Zone virtual pages — each zone automatically gets a front-end page at /protected-zone/{slug}/ with customisable title and body content, rendered inside your active theme
Browsable file listing — [rbfa_files] shortcode renders a collapsible, downloadable file listing for authorised users, with per-directory file counts, sizes, and ZIP download buttons
Access logging — every request is logged with timestamp, username, IP, file path, and status; filterable, sortable, and exportable as CSV
Role management — create and manage custom WordPress roles (fgh_ prefix) directly from the plugin, with searchable member management
.htaccess integrity — automatically writes and repairs rewrite rules across all protected directories; optional hourly cron
NGINX support — dedicated tab generates ready-to-copy location blocks when NGINX is detected
Export / Import — back up and transfer zones, roles, denial screens, and settings as a JSON file; conflict resolution on import
Security
Files served through PHP (readfile) — web server never delivers protected files directly
Path traversal blocked by realpath() boundary check before any file is served
Login redirect tokens are opaque — no file path, role, or zone information in the URL
Denial screen HTML filtered through a strict wp_kses allowlist on save and read-back
CSRF protection on every form via WordPress nonces
All ORDER BY clauses use a server-side whitelist to prevent SQL injection
Requirements
Apache with mod_rewrite enabled, or NGINX (with manual server block configuration — see the NGINX Config tab)
