Protecting the SlickOperator Uploads Directory
Audience: Hosting administrators deploying SlickOperator to a production web server. Type: Deployment hardening (defense-in-depth). This is not an installation guide and not a general WordPress hardening guide.
Purpose
SlickOperator stores generated and uploaded files — such as job photos — under a dedicated directory inside the WordPress uploads folder:
wp-content/uploads/slick-operator/The plugin applies application-level protections to this directory automatically. Those protections are real, but they are not a substitute for correct web-server configuration. Ensuring the web server itself refuses direct access to this directory remains the host administrator’s responsibility — and on Nginx it requires an explicit rule, because Nginx does not honor the protection file the plugin writes.
What SlickOperator Already Does
On first use, SlickOperator applies the following protections to
wp-content/uploads/slick-operator/:
- Apache-compatible
.htaccessguard — a deny rule is written to the directory so that, on Apache-family servers, files cannot be fetched or listed directly. index.phpguard — an emptyindex.phpis dropped in the directory to prevent directory listing where indexing is enabled.- Randomized filenames — stored filenames include a random component, so direct URLs are
not guessable even where the
.htaccessguard is ignored. - Capability-gated serving — protected files are delivered through the plugin’s own permission-checked serving path, never through a public uploads URL.
These are defense-in-depth measures. They do not replace server-level configuration, and
on Nginx the .htaccess guard has no effect at all (see below).
Nginx Requirement
Nginx ignores .htaccess files entirely. On an Nginx host, the plugin-written .htaccess
guard is inert, so the web server will still serve files from the SlickOperator uploads
directory on direct request unless you add a server-level rule.
Nginx deployments must add the deny rule below. It blocks direct browser access to files
under the SlickOperator uploads directory and prevents PHP execution anywhere under uploads.
Add it inside the site’s server { } block:
# Block direct access + script execution under SlickOperator uploadslocation ^~ /wp-content/uploads/slick-operator/ { deny all; # no direct fetch or directory listing return 403;}# Defense-in-depth: never execute PHP anywhere under uploadslocation ~* /wp-content/uploads/.*\.php$ { deny all; return 403;}Deployment Steps
-
Add the rule above to the appropriate
server { }block or Nginx configuration include for the site. -
Validate the configuration syntax and reload Nginx:
Terminal window nginx -t && systemctl reload nginx -
Confirm that a direct request to a file under
/wp-content/uploads/slick-operator/returns403 Forbidden. -
Confirm that authorized SlickOperator workflows — uploading and viewing job photos through the admin — still function normally.
Verification Checklist
-
nginx -treports the configuration is valid. - Nginx reload completes without error.
- A direct request to a file under
/wp-content/uploads/slick-operator/is denied (403). - Authenticated SlickOperator behavior (photo upload and viewing) still works.
- No unrelated WordPress uploads paths are blocked.
Scope and Limitations
- SlickOperator does not manage Nginx configuration automatically. Adding this rule is a manual, host-side step.
- This guide applies only to the SlickOperator uploads directory
(
wp-content/uploads/slick-operator/). Do not broaden the deny rule to all ofwp-content/uploads/— doing so will block legitimate media. - Managed WordPress hosts (for example Kinsta or WP Engine) often apply an equivalent uploads/PHP-execution rule already; confirm with the host if you are unsure.
- If the server uses nonstandard WordPress paths, consult the host administrator to adapt the location paths accordingly.