File Access


Files are uploaded to the /var/www/groups/wp-content/uploads/groups-file-access directory.

Access to files in /var/www/groups/wp-content/uploads/groups-file-access is protected by an .htaccess file in that directory.

The directory listing is hidden through an index.html in /var/www/groups/wp-content/uploads/groups-file-access.

Serving Files

Screen Shot 2015-03-20 at 19.22.27

Screen Shot 2015-03-20 at 19.22.43An inline content-disposition means that the file should be automatically displayed. An attachment content-disposition, is not displayed automatically and requires some form of action from the user to open it.

Session Access

Screen Shot 2015-03-20 at 19.29.52 If enabled, all file URLs and links that are rendered using the [groups_file_url] or the [groups_file_link] shortcode will have a session access identifier appended automatically for authorized users.

These URLs grant access to files without the need to be logged in.

Session access can be granted for specific files without the need for this option to be enabled, by specifying the session_access="yes" shortcode attribute.

Screen Shot 2015-03-20 at 19.23.12

Temporary access is valid during the period of time established through the timeout.

If the temporary URL has not been accessed during that period of time, the link is invalid and access is refused.

The time period is extended for the duration of the timeout while the URL is accessed.


Notifications for the site administrator when a file has been accessed can be enabled and configured here.
Groups Files Access :: Notifications

These tokens can be used in the subject and message:

  • [file_id] The ID of the file served.
  • [file_path] The file path of the file served.
  • [file_url] The URL of the file served.
  • [ip] The IP address to which the file is served.
  • [server_ip] The IP address of the server.
  • [referrer] The HTTP referrer string.
  • [request_uri] The request URI string.
  • [request] The request data.
  • [datetime] The date and time at which the file has been served.
  • [site_title] The title of the site.
  • [site_url] The URL of the site.
  • [user_id] The ID of the user to whom the file has been served.
  • [username] The username of the user to whom the file has been served.

The tokens are substituted in the notification message with their corresponding values for the file access.

Serving large files

Depending on the existing configuration, it might be necessary to adjust some directives.

PHP Configuration for Large Files

If you want to serve large files, you might need to adjust your php.ini.

For example, to serve files up to 128M:

upload_max_filesize = 128M
post_max_size = 129M
max_execution_time = 300

See also:

nginx Configuration for Large Files

Under nginx the client_max_body_size directive should also be adjusted accordingly within a httpserver or location context. This can be done in the server configuration file /etc/nginx/nginx.conf or in a site-specific configuration file similar to /etc/nginx/sites-available/default :

server {
    client_max_body_size 128M;

See also:


If you are using nginx, the folder managed by Groups File Access that holds protected files must be protected by adding the appropriate location rule to the configuration file.

Under Uploads note the path of the directory where files are uploaded. Use the path with the location directive, adding these lines in the nginx configuration file:

location /var/www/groups/wp-content/uploads/groups-file-access {
deny all;

In the above example, the folder we must protect is /var/www/groups/wp-content/uploads/groups-file-access.

For large files, see above under Serving large files and make sure that the client_max_body_size directive is set accordingly.


Note: We do not recommend IIS. If you have no other choice, please make sure to protect the files handled by Groups File Access as indicated below.

If you are using IIS, the files managed by Groups File Access will be unprotected unless you use Request Filtering or other means to avoid direct access to the files.

The following instructions are based on IIS 7, similar instructions should apply if your version differs, or use the zip file provided below.

Open IIS Manager and on the left side under Connections select the site where Groups File Access has been installed. Expand the tree until you get to wp-content/uploads. The groups-file-access directory is a subdirectory that has been created by Groups File Access. Select the uploads directory in the Connections pane, double-click on Request Filtering in the middle pane, click Add Hidden Segment… in the right pane and in the dialog box that appears, input groups-file-access and click OK.

This will create a web.config (click to download a zipped version) in the uploads directory which protects direct access* to the files.

* Access to their URL within wp-content/uploads/groups-file-access is protected, this is different from the URL provided by Groups File Access which grants access to these files to authorized users.

See also:

Cleaning up after tests

Screen Shot 2015-03-20 at 19.24.02

The plugin provides two data deletion option. The Groups plugin must be activated for these to take effect.

If the upload folder is deleted while the Groups File Access plugin is activated, deactivate and reactivate the plugin.

Moving to another Server

IMPORTANT : Make a full backup of your WordPress site and database before moving and before running any MySQL query on its database.

If you are moving your WordPress installation to another server, file paths will most likely change. This requires an update of one of the database tables used by Groups File Access which must be done using the following replacement MySQL query (the paths must be adjusted before you execute the query) :

UPDATE wp_groups_file SET path = REPLACE( path, '/var/www/groups/wp-content/uploads/groups-file-access/', '/www-docs/wordpress/wp-content/uploads/groups-file-access/' );

In this example we assume that your files were located in /var/www/groups/wp-content/uploads/groups-file-access/ on the old server and are placed in /www-docs/wordpress/wp-content/uploads/groups-file-access/ on the new server. You can see the new location used under Uploads the path of the directory where files are uploaded is shown.

The query can be run directly on the command line of your MySQL client or through phpMyAdmin.