How to create WooCommerce secure downloads

WooCommerce makes it really easy to sell digital content online. Whether you’re using DRM or not for your content, it’s best to not have a publicly-accessible link to your files. This article gives you a step-by-step process you can follow to create a WooCommerce secure download the proper way.

By default, WooCommerce will hide your files behind a link that looks like:

This allows you to limit the number of times a file is downloaded and how long a download link should be active for. But what if some nefarious customer follows the redirect from the download link and discovers that your files are actually stored out in the open under the wp-content directory? They could easily post the link and anyone could simply download the file. There’s an easy way to prevent this from happening and to secure your WooCommerce downloadable files. Here’s the process:

Steps to WooCommerce secure downloads:

  1. Connect to your website via FTP or SFTP and browse to where your WordPress files are. You should see files like index.php, wp-config.php, etc. This is your “webroot” and any files stored here or in sub-directories are (mostly) publicly-accessible by default, unless you’re using .htaccess rules.
  2. Browse to the folder above your webroot and create a folder named “downloads”. Upload all your downloadable files into this directory. Within your FTP client, you should see an option to copy the full path. In Transmit on OSX, it looks like this:
    Sell with WP WooCommerce Secure Download Transmit copy path
  3. Log in to your WooCommerce store and browse to the Edit Product page. Change the “File Paths” section from the old URL to the path you just copied:
    Sell with WordPress WooCommerce Secure Downloads Edit Product Page

    Hit save and you’re done.

That’s it! Repeat this process to secure all of your WooCommerce downloadable files and place a test order to make sure you don’t encounter any errors. Once you’ve done this, you can delete the old files stored in your wp-content/uploads directory. The format of your links won’t change at all and there’s no visible difference to the customer.

Max Rice
Max Rice is Jilt's co-founder and CEO at Jilt. He focuses on ensuring our app and integration plugins are top-notch while also working with merchants to get the most out of Jilt.


  1. This is really great advice. I was looking for this exact answer. I wondered if I was going to have to pay for some kind of expensive plugin to protect my files. nice little trick and I love how easy it is. Thanks for sharing.

  2. Aren’t the files still accessible from the outside if you follow the redirect? I would think they’d have to be otherwise the downloads wouldn’t work. It seems like you just moved them to a directory outside of the WP installation but still accessible to the public if they discover the URL. Mod X-Sendfile was recommended to me as an alternative but I have not gotten around to setting it up.

    1. They shouldn’t be when placed outside of your webroot, as Apache/Nginx won’t be able to serve them but PHP can. If you have access to mod-x-sendfile then it’s best to use that :)

  3. Hi,
    It didn’t work with the ordinary way for my download files so I tried above and this not either work. So I contacted my hosting company who said that there probably need to be some special permission for this folder on the server, is it like this?

    I haven’t deleted the upload folder because I thought maybe the hosting company could fix something can this be a problem?


    1. The folder and files inside need to be readable by your web server and PHP processes, otherwise this won’t work. You can ask your hosting provider to help you set those proper permissions :)

  4. Thank you, Max… I tried to find the information that you have shared here at Woocommerce and just didn’t see it if it was there. I’ll try this. Signed up for your newsletter and posts! My Christmas list is growing. :) I’ll try to give back, Lordwilling my site produces giving to me. Thanks again. Laura

  5. Hi Max,
    Thanks for the advice but I’ve tried a few things and I’m now more confused than anything. My files(hosting) structure is as follow:
    – WordPress files are in “wp” folder
    – Above this I have “public_html” folder (Which I would think is my “webroot”)
    – Above this is another level which I’ll call “hosting root” for now.
    I’ve tried to move the downloadable files in a folder both under “public_html” as well as my “hosting root”. When the folder is in public_html anyone can access the files if they know the url (like so no secure downloads here. When I place the folder in my “hosting root” the url can only use the IP (like and the link is treated as a ftp link, trying to connect to the hosting server.

    I thought I could control the access to the folder using permissions or maybe .htaccess file but I’m not sure what to use.
    Do you have any idea what I’m doing wrong or how I could fix my problem.
    FYI I’m using a WP multisite install but I don’t think this would change anything.

    1. Making a folder in your hosting root (like “assets”) should work fine. If you have SSH/command line access or SFTP/FTP access you can use that to navigate to that assets folder and either use pwd to show you the full directory path, or your FTP client may be able to display the full path. That path (+ the filename) is what you want to enter in WooCommerce for the filename. hope this helps!

  6. hi Max,

    I seem to be having trouble getting this to work correctly. I’ve created a folder that is outside the wwwroot folder (generically speaking) named ‘Download,’ made sure it had read permissions for public, and copied a sample file there. I’m using Windows and FileZilla, and couldn’t find anywhere that let me get the full path for the file, but I assumed it was /Download/ I put this entry in the file paths section as mentioned above, saved and tried it – kept getting a 404. I’m hoping this is enough information, but is there something I’m missing?

    Thanks for your input – great article!

    1. Hmm, you might have to ask your hosting provider for assistance with that — they should be able to give you the full path to your wwwroot — then you could just remove that and add your “download” path which should work :)

  7. Hi Max.
    Thanks for your post! I’m really looking forward for a solution to secure my downloadable products.
    At the moment, using “Force Download” is not an option because users cannot complete big files downloads.
    My server does not have mod_xsendfile.
    The only option is “Redirect only”.
    Absolute path does not work with this option.
    Could there be another solution for that?
    What if we use .htaccess to redirect to a php file before hitting the download file to check the purchase?

    1. Hey Renan, if you have large files for users to download mod_xsendfile is really your best option. I’d look into a hosting provider that will be able to add that module for you rather than hack together a .htaccess rule to a PHP file :)

  8. Thanks for great advice and useful instructions! I have done everything above and simulated purchases in my shop, and everything works just fine, until the downloaded product is corrupt and void of all data. Why is that? I have tried different paths to my folder, or to each specific product, and the only time the download wasn´t corrupt, was when I used the ftp://xxxxx_master/etc. link to the folder; but then I had to use my password to the master FTP to get access to the product – and that´s nothing I would want to hand out to customers :-)

    Currently I use the Linux path to the folder, and doing so I enter the path to each specific product in the folder. This works fine in every step of the purchasing process, until it shows that the product is corrupt and contains no data. Can it have something to do with my site being under SSL encryptation? I have checked the respective categories rights in the “downloads” folder and I can see nothing that not looks right there. The file type in question for both purchase and testing is PDF-documents.

    1. It sounds like it may be a hosting issue if the PDF file is corrupt. I’d ask them if they have any restrictions in place on the filesystem which might be causing the corruption :)

  9. First: thanks for reply and consideration of my problem!

    Second: I contacted my host provider, and they told me my the corruption is due to server restrictions. The only folder that could come in question for such downloading purposes would HAVE to be under my “public_html” folder – no place else. The solution I was presented, is to create a “downloads” folder under my “public_html” and use an .htaccess file where I specify conditions for what and whom is allowed access to the folder.

    The issue I now face is: How do I specify the script so I allow WooCommerce to link a download from that folder – since the links generated from a purchase I suppose are temporary? How do I link to that folder in WooCommerce so access is granted?

  10. Hello Max,
    It’s really helpful article as others, thank you.
    I just a bit confused that article is best way for me or not.
    I would like to sell a magazine but not monthly, yearly or whatever subscription, just one time payment . I just want to that when the customer buy a magazine immedietly redirect a new tab and see the readable PDF not download PDF. And also when customer buy a magazine after then can access other magazine issues.

    For example : I’m a customer. I click the Buy item any magazine on shop page after redirect to me if I pay this item to a new tab and i read PDF on the new tab so i saw a link on last page the PDF. The link says” You can access other issues when click this link i can read other magazine issues.

    How can I do that ? This article help with me ? :)

  11. Hi,

    Thanks for the wonderful article! I was able to make it worked on our site but we encountered 1 problem:

    When we set File URL value to=d:/hostingxxx/xxx/downloads/, on save the field value is reset to http:// but the file can be downloaded. The next time you save the product and didn’t set again the value then the file will be empty. Any idea why?


<em>Hmm, looks like this article is quite old! Its content may be outdated, so comments are now closed.</em>