Skip Navigation

[Resolved] Restricting access to files uploaded with Toolset Forms

This support ticket is created 2 years, 8 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
- 9:00 – 13:00 9:00 – 13:00 9:00 – 13:00 9:00 – 13:00 9:00 – 13:00 -
- 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 -

Supporter timezone: Asia/Karachi (GMT+05:00)


Tell us what you are trying to do?

I am trying to set up a public submission form through which anonymous website visitors (guests) would upload confidential data (like CVs or cover letters). I do not want those files to be then publicly visible for anyone else other than e.g. Administrators or Editors.

Steps I do:
1. create a Fields Group through Toolset > Custom Fields > ... create a new group with the following entries: First name, Last name, File
2. create a Post Type through Toolset > Post Types > ... create a new custom post type that uses the Submission Fields
3. create a Post Form through Toolset > Post Form > ... create a new post form for Submission
4. fill out the Post Form - upload a file

Observed behavior:
The uploaded file is publicly visible e.g. under: hidden link

Desired behavior:
The uploaded file should not be visible for anyone else other than Admins or Editors of the website.

Is there a similar example that we can see? - unfortunately it seems that the proposed solution is no longer available under the given link with the solution



Languages: English (English )

Timezone: Asia/Karachi (GMT+05:00)


Thank you for contacting us and I'd be happy to assist.

I'm afraid, there is no built-in feature available to stop files uploaded through the front-end forms from getting added to the WordPress media library or restrict them from public access.

To achieve this, you'll need some custom code or third-party plugins like:



I see, could you give me some assistance to achieve this in that case?

I downloaded both plugins and tried figuring it out on my own but failed.

Best regards,


I came up with the following hand-crafted solution.
I created my custom plugin: hidden link
It hooks into upload_dir & wp_handle_upload hooks from WordPress core. What my hooks do is they basically change the directory to which files uploaded through a form with field id 'wpcf-file_attachment' are saved. The new directory to which they are saved is 'wp-content/uploads/submissions'. Also the URL to the file is change accordingly to the format wp-content/uploads/submissions?file=<name>'.
To secure the 'submissions' directory from direct access I configured .htaccess to redirect all requests to that directory to GET file=<filename>. I also put there an index.php in the directory which checks if the GET requests that hit under ?file=<filename> are authorized to do so (ie. that the user visitor is logged into WordPress). One vulnerability might be directory traversal in the file name which index.php also prevents.

What do you think about that solution? I am new to WordPress, I needed something very simple but I am not sure if what I propose is 100% safe.

Best regards,



Languages: English (English )

Timezone: Asia/Karachi (GMT+05:00)

Hi Jakub,

Thank you for sharing your custom solution here and it will surely help others with a similar requirement.

Since this code targets only the upload for a specific custom field, the default functionality of the WordPress media library won't be affected which is great.

I can't think of any drawback or safety concern linked to this approach.



My issue is resolved now. Thank you!

This ticket is now closed. If you're a WPML client and need related help, please open a new support ticket.