1. Documentation /
  2. Approved Download Directories

Approved Download Directories

Starting with WooCommerce 6.5 it will be possible to take advantage of a new feature called Approved Download Directories to help manage the storage of downloadable product files.

This will be of particular interest if you already sell or plan on selling downloads, and especially if there are multiple users on your site with the ability to create and modify products (you may for instance have a small number of administrators, but multiple shop managers or product vendors).

Where Are Downloadable Files Stored?

↑ Back to top

When WooCommerce is installed it will try to create a new directory named woocommerce_uploads (located inside WordPress’s own uploads directory) and this will be available for file storage. However, in many cases, it may be preferable to store files elsewhere—such as using a cloud storage solution for very large files. WooCommerce fully supports this, but it also recognizes the challenges this introduces:

  • It may be company policy to store files only in approved locations to which administrators have full read/write privileges (in other words, letting employees link to downloads stored in their personal cloud storage account may not be acceptable).
  • Linking to files accessed via domains you do not control can also introduce various types of security risk, and so it may be desirable to limit acceptable locations to those on a pre-approved list.

The Approved Download Directory feature is intended to help with these challenges.

Approved Download Directory Settings

↑ Back to top

To help site administrators exercise control over the locations used for storing and serving product downloads, WooCommerce provides a range of settings found at WooCommerce ‣ Settings ‣ Products ‣ Approved Download Directories:

From this location, approved directories can be added, edited or removed and it is also possible to disable or enable this feature entirely (rules can also be disabled or enabled on an individual basis). Note that all approved directories, including filepaths, are expressed as URLs. Some things to bear in mind about this:

  • The scheme, or protocol, matters. In other words, http://example.com/ is not the same as https://example.com/ (although you can add both if needed, and you can also use the //example.com shorthand).
  • You can enter file paths directly, and once saved they will automatically be converted into URLs using the file:// scheme. For example, a file path can be entered as /directory/path/example/ and will be saved as file:///directory/path/example/.
  • Each approved directory implicitly covers all possible sub-directories. For example, if https://my.site/files/ is added to the list of approved directories, then it is perfect fine to add a file located within https://my.site/files/nested/sub-directories/ to a product.
  • These settings only impact digital downloads: they have zero impact on the WordPress media library or image handling generally.

To emphasize, only site administrators (or network administrators, in the context of multisite networks) have the power to modify this list. Anyone else, including shop managers (and vendors or vendor admins, if you happen to use the Product Vendors extension) will not be able to add downloadable files to products unless there is a corresponding entry on this page.

  • If you are the site administrator, and you are the only person managing your store, then you don’t need to worry about any of this: any time you add a downloadable file that is not covered by an existing rule, a new rule will automatically be added.
  • It is also possible to disable this functionality entirely (a toggle is present on the settings screen so you can start or stop enforcement of these rules), for cases where management of approved directories proves impractical.

In cases where a user such as an editor or shop manager tries to supply a URL that is not within an approved directory, they will see an error like the following one, which will encourage them to contact the administrator for further help:

Please note that, in the case of Product Vendors, error messages like these are not displayed to vendor-level users.

Enable and Disable Rules

↑ Back to top

To enable all the rules, an administrator can simply click on the Start Enforcing Rules button and, similarly, it can be disabled by clicking on Stop Enforcing Rules.

Administrators can also use the Enable All and Disable All buttons to enable and disable all the rules respectively.

To enable an individual rule, an administrator can click on the rule and enable/disable it from there. The same can be done by using bulk actions.

Updating to WooCommerce 6.5.0

↑ Back to top

This feature is being introduced in WooCommerce 6.5.0 and will be enabled by default for brand new installations. 

If you are upgrading from an earlier version, WooCommerce will take care of automatically populating the Approved Download Directories list in the background and it will notify you when the process is complete: that will give you as the site administrator a chance to review the locations currently being used for product downloads before enabling this functionality (until then, it will be disabled).

Additional Tools

↑ Back to top

There may be occasions when, as site administrator, you find you need to exercise additional control over this functionality. For instance, if you import product data using some method other than our official importer tool then the creation of new download paths may not initially be noticed by WooCommerce. For this reason, a couple of extra tools can be found in the WooCommerce â–¸ Status â–¸ Tools screen:

The first tool (“Synchronize approved download directories”) triggers a fresh scan of the product catalog: when downloadable product paths are discovered that are not already covered by existing Approved Download Directory rules, they will be added to the list (but will initially be disabled). The second one (“Empty the approved download directory list”) can be used to delete the existing Approved Download Directory list entirely.

Disabled Download Files

↑ Back to top

It is entirely possible, especially in more complex multi-user setups, that a downloadable file may be added to a product and, later on, the corresponding rule in the Approved Download Directory list may be disabled or deleted. In these cases the affected downloadable files will also be marked as disabled:

Customers who had purchased the product will no longer be able to access the disabled downloads, until or unless a site administrator corrects the problem.

Frequently Asked Questions

↑ Back to top

Can we use wildcards instead of entering http/https twice?

Yes, you can use the //example.com as a shorthand.

How can I delete all the rules or how can I reset the rules for Approved Download directories?

↑ Back to top

I do not want this feature because my shop manager uploads all the download files, not me. How do I stop this?

↑ Back to top

You can stop enforcing the rules under the Approved Download Directories settings:

Why is the woocommerce_uploads folder included in my Approved Product Downloads Directory and ticked as Enabled by default?

↑ Back to top

When WooCommerce is installed it creates a new directory named woocommerce_uploads (located inside WordPress’s own uploads directory) and this is available for file storage. When you upload files from the product creation page, those files are uploaded by WooCommerce and, get placed in woocommerce_uploads folder. This is WooCommerce’s own upload location, so those are enabled by default as it is already recognized as safe.

I have added a URL to the Approved Directory List but still, the file is reachable by customers who haven’t paid for it?

↑ Back to top

Approved Directory does not affect how file downloading is handled (i.e. if it is reachable by a direct link or not). It only affects the downloadable products that have a file located in an unapproved directory/location. eg: If you add a file to a product and the file URL is not approved by the administrator then the download won’t work.

If the download file is reachable by customers who haven’t paid for it. This would mean either of the below:

  1. You uploaded the file to the media library instead of using WooCommerce for the upload. WordPress’s media library is inherently public, it’s where all images attached to posts and pages get placed. When creating a downloadable product, you should upload the file from WooCommerce instead of picking a file from the media library. 
  2. You are using the Redirect only (insecure) method for file downloads. Using this method means your files will be unprotected and whoever has the upload link will be able to access the file, even when they are not logged in. Read more about Digital/Downloadable Product Handling