I have a public facing site that uses Wordpress. We have a single custom page for online applications to our service, but have discovered that if you know the name of one of the files on the server you can view anything by guessing the correct html link for the file.
These applications are stored online as a backup to the ones that are emailed by the submit form. We would like to make it possible for the HTML in the submit button to still save the applications, but not for people to access the subdirectory where they are stored. I can create a script to download and delete the applications on a schedule so that they are mostly cleared out, but there will always be the potential for someone to guess at the right moment and see the applications, or even brute force script downloads.
Aucun commentaire:
Enregistrer un commentaire