For our secure (I thought) WP company intranet site, apparently even though the site is secure, the files in /wp-content/uploads is not. Anyone, even without being logged in, could view/download any file if they figured out when it was posted or otherwise brut-force stumbled on the right path.
I had no idea this was a thing and somehow never lucked into stumbling on it for years. The phrase “when you assume you make an ass out of u and me” comes to mind. Maybe if I saw a phone list PDF once in a while even if I wasn’t logged in I assumed it was cached or something? I dunno but I’m kicking myself.
So, if you’re assuming just because your site it secure that your files are too, don’t. Check them.
EDIT: Took out the last paragraph which, as was noted, did indeed read a bit like an ad.
[ad_2]
This reads like a paid ad.
There are plenty of plugins that prevent file access to uploads.
But yes, everything in the /wp-content/uploads folder is available to the public.
Some plugins like “Updraft Plus Backup and Restore” add their own folder, like /wp-content/uploads/updraft, which they self-protect with an .htaccess file that is set to “deny from all”. Then the PHP code is responsible for granting access to every file within that folder.