We have added more options for securing uploaded documents in Simple Files in the latest release which is version 2.10. There are now three choices in the Options area (gear cog in top right of the front end) under “File Privacy Options”. They are as follows;
The first is “Visible” which is the default, which means that if a user who is or is not logged in to your intranet knows the exact URL of an uploaded file, then they can download it. Depending on your server or configuration, they may or may not also be able to view files inside folders within your WordPress “wp-content/uploads” directory (though this is unusual).
In this mode, folders within the main WordPress default “/uploads” folder will not be searchable or available for download to any users (logged in or logged out). However, if a user is logged out, and they know the exact URL of a file within a folder, they still could download it. Note, some servers/installations already hide the /uploads folders automatically, so in some cases this feature may be redundant.
When options are set to “Blocked”, only logged in users can find, view or download your files or your folders within the “/uploads” area on your site. How we do this is to create a custom .htaccess file in the “/uploads” folder of your WordPress installation. Note, this is not in the root of your install, only the “wp-content/uploads” folder and so won’t jeopardize your site. We have also created an option to restore or remove this security option.
Here is a more general overview below of Simple Files;