In WPJB 5.10 a new feature for securing file uploads was introduced. You can access the settings from the wp-admin / Settings (WPJB) / Files Security panel.
Security with Apache Server
If you are using an Apache server the files are protected by default with the mod-rewrite Apache module, in this case in the settings panel you should see a screen like in the image below.
You should not need to make any changes in the settings, but just to make sure it would be best to add a new application, upload to it at least one file, and try to open it in a new browser or in the incognito mode, if you will see an error message this means the files are protected correctly.
That said if you want an additional layer of security or to fine-tune which files you want to protect then you can press the “Show settings anyway …” button and configure the security options.
Security with other Servers
Other servers will usually be Nginx or Lighttpd, this servers do not work with the mod-rewrite and have no easy way to replicate this functionality, especially on shared servers.
If you are using one of these servers you will need to manually configure the files security. You should see a form like the one below
The form has the following fields:
Files Security – when checked the other settings below are being applied, otherwise, the configuration below is ignored.
Secure Folder Path – by default WPJB stores files in the default WordPress upload folder, this means that if someone knows an exact URL to the file he can view it in the browser.
To prevent that you can enter a secure folder path (outside of browser reach). How to create this folder depends on your server control panel, but usually, you should have access to some Files Manager that will allow you to create the folder.
The key thing is that the folder is not reachable with a web browser so for example if your WordPress files are in a directory like /home/server/public_html/ then your secure folder could be /home/server/wpjobboard-uploads/
Usually, it will be best to create this folder using Files Manager and grant it 0755 access so WPJB will be able to upload files there.
Important Note: if you decide to store your application files in this secure location then using Files Manager (or FTP) you need to move all the files and directories from the default wp-content/uploads/wpjobboard/application to the new /home/server/wpjobboard-uploads/application folder otherwise the old files will not be accessible when editing job applications.
While this option requires quite a lot of manual work it provides the best security possible.
Enable Hashing – the file paths can reveal parts of the address where the actual file is located, if you enable the hashing then the file paths will be encrypted.
Hashing Key – the Hashing Key is being used when the Hashing is enabled, the key should be just a random string of text, for your convenience there is a “Generate” button that you can click the have the string automatically generated.
Data Section – in this section, you can select which objects should be protected (available are Jobs, Applications, Resumes, Employers).
While you might be tempted to check all of them, usually it will not be the best solution for a few reasons:
- the files that are being protected cannot be accessed and indexed by search engines, so they cannot appear in the Google search results. If you want maximum exposure in Google and other search engines then you will want the files indexed.
- loading a protected file uses more resources (server CPU and RAM) than accessing it directly.
Unless you have some specific use case we recommend securing only the Applications and maybe Resumes if the resumes are available to premium members or contain some private user files.
If you want to protect some specific file upload field in the Resumes (or other data types) then after checking the checkbox next to the Resumes, below an Exclude field will appear, inside it you can type all of the file uploads field names that you want to exclude from being protected.