Most free Cloud hosting services does not offer control over access privileges. Once a file is shared, everyone can download the file with the share link. To prevent this, WP-Filebase acts as a authentication proxy.For each file hosted on a cloud service – such as Google Drive, Dropbox and OneDrive – you can set individual access permissions based on users and user roles in WP-Filebase Dashboard.
Once a user tries to access a file from your WordPress site, WP-Filebase checks for these permissions. If access is granted, it sends a share request to the Cloud service to retrieve a share URL for that file. It then redirects the browser of the downloading user to this share URL and the download begins.
The leak safety (e.g. the risk that some not-authenticated user can download the file) of this process, depends in the structure and state of the share URL, which is generated by the cloud host. A possible vulnerability is URL guessing: the attacker has an idea about file and folder names and just tries various URLs until the server returns the file. Another security aspect is the lifetime of the share URL. Links can easily get into the wrong hands, for example from the browser history. A link with a lifetime of a couple of minutes prevents this. Once the link is expired, the user needs to re-authenticate in order to access the file.
Lets have a look at each service:
- FTP provides poor security, since URLs are easy to guess (no hashing, no tokens in the URL). There is no URL signing. However, you can configure the FTP server so it does not accept anonymous connections, but this will require you to share FTP login details with your users and there is no automatic WordPress user authentication
- Dropbox URLs are safer, since impossible to guess. There is an expiration time for share links, but the timespan is not defined for Dropbox free users. With paid Dropbox Pro/Enterprise accounts you can set a custom link expiry time.
- Amazon S3 is very secure, because you can set link expiry time (down to a couple of seconds). Files are securely servered over HTTPS. No URL-guessing possible.
- Google Drive has its own share permission system with Google Accounts. It does not currenlty generate share links with a limited life time.
- ownCloud supports link expiry dates, thus is very secure.
Note that you can never prevent someone from sharing your files, even if the links expire. “Bad guys” can easily re-upload files on any host and share these links.