Skip to content

Protecting the SlickOperator Uploads Directory

Audience: Hosting administrators deploying SlickOperator to a production web server. Type: Deployment hardening (defense-in-depth). This is not an installation guide and not a general WordPress hardening guide.

Purpose

SlickOperator stores generated and uploaded files — such as job photos — under a dedicated directory inside the WordPress uploads folder:

wp-content/uploads/slick-operator/

The plugin applies application-level protections to this directory automatically. Those protections are real, but they are not a substitute for correct web-server configuration. Ensuring the web server itself refuses direct access to this directory remains the host administrator’s responsibility — and on Nginx it requires an explicit rule, because Nginx does not honor the protection file the plugin writes.

What SlickOperator Already Does

On first use, SlickOperator applies the following protections to wp-content/uploads/slick-operator/:

  • Apache-compatible .htaccess guard — a deny rule is written to the directory so that, on Apache-family servers, files cannot be fetched or listed directly.
  • index.php guard — an empty index.php is dropped in the directory to prevent directory listing where indexing is enabled.
  • Randomized filenames — stored filenames include a random component, so direct URLs are not guessable even where the .htaccess guard is ignored.
  • Capability-gated serving — protected files are delivered through the plugin’s own permission-checked serving path, never through a public uploads URL.

These are defense-in-depth measures. They do not replace server-level configuration, and on Nginx the .htaccess guard has no effect at all (see below).

Nginx Requirement

Nginx ignores .htaccess files entirely. On an Nginx host, the plugin-written .htaccess guard is inert, so the web server will still serve files from the SlickOperator uploads directory on direct request unless you add a server-level rule.

Nginx deployments must add the deny rule below. It blocks direct browser access to files under the SlickOperator uploads directory and prevents PHP execution anywhere under uploads. Add it inside the site’s server { } block:

# Block direct access + script execution under SlickOperator uploads
location ^~ /wp-content/uploads/slick-operator/ {
deny all; # no direct fetch or directory listing
return 403;
}
# Defense-in-depth: never execute PHP anywhere under uploads
location ~* /wp-content/uploads/.*\.php$ {
deny all;
return 403;
}

Deployment Steps

  1. Add the rule above to the appropriate server { } block or Nginx configuration include for the site.

  2. Validate the configuration syntax and reload Nginx:

    Terminal window
    nginx -t && systemctl reload nginx
  3. Confirm that a direct request to a file under /wp-content/uploads/slick-operator/ returns 403 Forbidden.

  4. Confirm that authorized SlickOperator workflows — uploading and viewing job photos through the admin — still function normally.

Verification Checklist

  • nginx -t reports the configuration is valid.
  • Nginx reload completes without error.
  • A direct request to a file under /wp-content/uploads/slick-operator/ is denied (403).
  • Authenticated SlickOperator behavior (photo upload and viewing) still works.
  • No unrelated WordPress uploads paths are blocked.

Scope and Limitations

  • SlickOperator does not manage Nginx configuration automatically. Adding this rule is a manual, host-side step.
  • This guide applies only to the SlickOperator uploads directory (wp-content/uploads/slick-operator/). Do not broaden the deny rule to all of wp-content/uploads/ — doing so will block legitimate media.
  • Managed WordPress hosts (for example Kinsta or WP Engine) often apply an equivalent uploads/PHP-execution rule already; confirm with the host if you are unsure.
  • If the server uses nonstandard WordPress paths, consult the host administrator to adapt the location paths accordingly.