/ work / plugins / secure-file-downloads

Live · Free download

v1.0.8

Free — no purchase required

Pro optional

Secure File Downloads

Hand out PDFs without burning the direct /wp-content/ URL.

Download Free →

→ the free version is fully usable on its own. Pro is an optional upgrade, not a paywall.

no card charged today →

Then $7/mo after your 14-day trial · cancel anytime in one click.

/ what it does

You want to give visitors a PDF, a brochure, a price sheet — but you don't want to leak the raw /wp-content/uploads/ URL into your HTML where it gets scraped, hot-linked, and shared past your control. Secure File Downloads picks the file from your Media Library, hides the real URL behind a stable File ID, and serves the download through a nonce-protected endpoint with a clean shortcode button. No file manager bloat, no membership plugin, no fake feature ladder. Pro adds per-file password gates, download limits with counters, and a download analytics dashboard — so you actually know who pulled what.

/ who it's for

If any of these sound like you

Newsletter and lead-magnet bloggers

You wrote a 30-page guide, captured an email, and now you need to deliver the PDF. You don't want that PDF URL hot-linked across Reddit by tomorrow. One shortcode, one nonce-protected endpoint, one File ID — done.

Small businesses distributing price sheets and brochures

Sales sends customers a download link. Pro adds a per-file password and a counter, so when the same PDF gets passed to a thousand people, you see it and you can change the password without rewriting any links.

Agencies and freelancers wiring up client sites

Client wants secure downloads — but a full file manager plugin is overkill and a membership plugin is six weeks of setup. Drop this in, paste the shortcode in five posts, done before lunch.

Course creators and membership-lite sites

You're gating downloadable resources but you're not running a full LMS. Password each file, set a download cap per file, and watch the analytics tell you which resources actually get pulled.

/ features

What's in the box

Everything in the free column works on its own — install it and you're done. The pro column is an optional upgrade for power users; you never need it to use the plugin.

Free version

no purchase required · fully usable

Media Library file picker

Pick any file already in your Media Library and assign it a stable File ID.
Shortcode download buttons

[bbasfd_download id="FILE_ID"] places a download button anywhere — pages, posts, widgets, page builders.
Nonce-protected endpoint

Downloads stream through a controlled endpoint that validates a nonce before serving the file.
Hidden direct URLs

The actual /wp-content/uploads/ path is never rendered in your HTML.
Customizable button text & class

text="Get the PDF" and class="my-css-class" attributes for styling and copy.
Unlimited secure files

No cap on the number of secure File IDs you can create on the free tier.
WP_Filesystem-based reads

Plugin Check compliant — no raw fopen, no direct $_GET access.
Works with any page builder

Elementor, Gutenberg, classic editor — anywhere shortcodes render.

Pro adds (optional)

an upgrade, not a gate

Unlimited files (license-flag override)

Pro hooks bbasfd_max_files at priority 99 and forces it to 0 (unlimited). Free defaults to 0 already as of 1.0.7, but Pro keeps the explicit override so cap restoration in a future free release wouldn't affect pro users. Confirmed at pro/bba-secure-file-downloads-pro.php line 79-81.
Per-file download limits

Set a maximum download count per file (0 = unlimited). When the counter hits the cap, downloads of that file return forbidden. Includes a 'Download Limits (Pro)' admin sub-page showing current count + remaining for each file, plus a reset-counter form. Implemented in pro/includes/pro-core.php as of pro v1.1.0 (shipped 2026-05-16). Counter is stored in the existing BBASFD_OPT_FILES option (extends each file entry with 'limit' and 'downloads' keys).
Download analytics

Per-download event log + admin dashboard. Logs each successful download (timestamp, file_id, attachment_id, user_id, anonymized IP /24, user agent). 7/30/90-day window selector, 4 summary cards, daily inline-SVG bar chart, top files + recent events tables. New DB table bbasfd_download_events. Implemented in pro/includes/class-download-analytics.php as of pro v1.2.0 (shipped 2026-05-17).
Password-protected downloads

Per-file password gate that runs before the download is served. Correct password issues a 30-minute httponly HMAC-signed cookie so the same browser isn't re-prompted within the TTL. Challenge page is self-contained (inline styles, no theme dependency) and shows an error banner on wrong-password retry. Admin sub-page 'File Passwords' lets the operator set/clear passwords per file. Implemented in pro/includes/class-password-protection.php as of pro v1.2.0 (shipped 2026-05-17).

/ in action

Screenshots

/ pricing

No lite-version tricks

Free

Unlimited secure files

$0 forever

✓Unlimited secure files
✓Shortcode buttons
✓Nonce-protected endpoint
✓Direct URL hiding

Download from WordPress.org

Pro · 1 Site

Analytics, passwords & download limits

$49 /year

✓Everything in Free
✓Download analytics — who, when, how many
✓Password-protected downloads
✓Per-file download limits
✓Email support

Get Pro · 1 Site

Pro · 5 Sites

For multi-site agencies

$129 /year

✓Everything in 1 Site
✓Use on up to 5 sites
✓Priority email support

Get 5-Site Pro

Agency · Unlimited

For dev shops & agencies

$299 /year

✓Everything in 5 Sites
✓Unlimited site activations
✓Priority email support

Get Agency

/ faq

Common questions

How does the secure download endpoint actually work? +

You pick a file from the Media Library and the plugin assigns it a stable File ID. The shortcode renders a button that links to a controlled endpoint (with a nonce on the URL). When a visitor clicks it, the plugin validates the nonce, locates the file, and streams it back. The actual `/wp-content/uploads/...` path is never written into your page HTML.

Why does the free version limit me to 3 files? +

That's the freemium gate. The free plugin is fully usable for small sites — 3 files covers most blogs, lead magnets, and one-page businesses. If you need more, Pro lifts the cap. The limit is applied through the `bbasfd_max_files` filter so it's a clean, single point of gating.

Do I need WooCommerce? +

No. This plugin works on any WordPress site. It does not depend on WooCommerce, downloadable products, or any membership plugin.

Does it work with Elementor and Gutenberg? +

Yes. Use Elementor's Shortcode widget or a Shortcode block in Gutenberg with `[bbasfd_download id="FILE_ID"]`. Works in classic editor too — anywhere shortcodes execute.

Can I customize the button text and styling? +

Yes. The shortcode accepts: - `text="Get the free guide"` — overrides the default button label - `class="my-css-class"` — adds your CSS class so you can style it to match your theme

Does it hide my Media Library URL completely? +

The download button itself does not expose the direct upload URL — it points at the plugin's endpoint instead. However, this plugin does not block someone from typing the upload URL directly into their browser if they know it. For full file access lockdown (where the upload URL itself returns 403), you'd need to combine this with `.htaccess` or NGINX rules on `/wp-content/uploads/`.

Is it Plugin Check / WordPress.org compliant? +

Yes. v1.0.7 explicitly addresses Plugin Check requirements: nonce validation runs before any other request input is touched, downloads use `WP_Filesystem` for file reads, all `$_GET` values are unslashed before sanitization, and the download endpoint has documented permission hooks.

Will my downloads work behind a CDN or caching plugin? +

The shortcode output is cacheable, but the download endpoint itself uses nonces and should be excluded from caching. Most caching plugins skip URLs with query strings by default, which covers this — but if you've got an aggressive cache config, exclude the plugin's download endpoint manually.

What does Pro add? +

Per the WP.org FAQ: unlimited files, download analytics, password-protected downloads, and per-file download limits. (TODO: verify each Pro capability against the live Pro build before publishing copy.)

Where do I get support? +

Free version: the WordPress.org plugin support forum. Pro: email **support@bigbad.agency** with your license key.