When customers upload a file through a Product Add-Ons field, the file is stored in wp-content/uploads/product_addons_uploads/ on your server. This guide shows you how to stop visitors from browsing that folder, so they cannot see a list of the uploaded files.
Before you start
↑ Back to top- You need access to your server configuration or your hosting control panel. On managed or shared hosting, you may not have this access and will need to ask your host (see Managed hosting).
- Make a backup of any configuration file before you edit it.
- If you are not sure which web server your site uses, ask your hosting provider. The most common are Nginx, Apache, and LiteSpeed.
Do you need to do this?
↑ Back to topMost web servers disable directory listing by default, so many stores are already protected and need no changes. It is safe to apply the steps below either way, as a hardening measure. If you want to check first, see the Verify it works section below to first see if you need to protect these folders.
What this protects against
↑ Back to topSome web servers show a list of files when someone visits a folder URL that has no index page. This is called directory listing, or auto-indexing. If directory listing is enabled for your uploads folder, anyone who finds the folder URL can see the files in it and open them. Turning directory listing off is a standard hardening step for any store that accepts file uploads.
Product Add-Ons already adds a basic safeguard to the main uploads folder. The server settings below apply the same protection across the whole folder, including older files and per-customer subfolders.
This prevents anyone from browsing these folders. It does not make individual files private. Anyone with the exact file link can still open an uploaded file. If you collect confidential documents through an upload field, do not rely on add-on uploads as private storage.
Nginx
↑ Back to topAdd the following block to your site’s server configuration, near the end of the server block:
location ~* /wp-content/uploads/product_addons_uploads/ {
autoindex off;
}
Reload Nginx for the change to take effect. You can do this with a command such as nginx -s reload, or through your hosting panel. Nginx disables directory listing by default, so this confirms that setting for the uploads folder even if another part of your server configuration turns it on.
Editing Nginx configuration requires server access. On managed Nginx hosting, ask your host to apply the block above.
Apache and LiteSpeed
↑ Back to topEdit (or create) a .htaccess file inside the wp-content/uploads/product_addons_uploads/ folder and add this line:
Options -Indexes
This applies to the folder and all of its subfolders, so a single .htaccess file covers every uploaded file. LiteSpeed reads .htaccess the same way Apache does, so this one step covers both.
If your site shows a 500 Internal Server Error after adding the line, your host does not allow that setting in .htaccess. Remove the Options -Indexes line to restore your site, then use one of these alternatives:
- In cPanel, open the Indexes (or Directory Privacy) tool, browse to the
product_addons_uploadsfolder, and set it to no indexing. This does the same thing without editing.htaccess. - Ask your host to turn off indexing for that folder in the server configuration they manage.
Managed hosting
↑ Back to topIf you cannot edit your server configuration, or you are not sure which web server your site uses, send your hosting provider this request:
Please disable directory listing (auto-indexing) for
wp-content/uploads/product_addons_uploads/and its subfolders. The folder should return a 403 or an empty page instead of a file list.
Verify it works
↑ Back to top- Place a test order that includes a file-upload add-on and complete your checkout process.
- Open the order in WooCommerce, or use the order confirmation email, and find the link to the uploaded file.
- Copy that file’s URL and remove the filename at the end, leaving the folder URL (it should end with a slash).
- Open the folder URL in a browser. You should see an empty page, a Forbidden page, or a 403 message, not a list of files.
- Confirm that the uploaded file still opens from its full URL, and that your store loads normally with no 500 error.
If you see a list of files at step 4, directory listing is still enabled. Check the configuration for your web server above, or ask your host to apply it.
Questions and support
↑ Back to topSomething missing from this documentation? Still have questions and need assistance?
- If you have a question about a specific extension or theme you’d like to purchase, contact us to get answers.
- If you already purchased this product and need some assistance, get in touch with a Happiness Engineer via our support page and select this product’s name from the Product dropdown.