See the official online handbook for more information about securing private files. The information about private files starts at the "Managing file locations and access" header.
In order to make a private download truly private, you need to move the files directory (usually under sites/default/files) into a new place outside the Drupal installation. It should be in a place the user can't access via browser.
This tutorial is written based on my Dreamhost shared account. It is assumed you have shell (SSH) access to your host.
Here are the the steps:
- Install Drupal.
- Connect to your host via shell.
- Create the new file directory.
- Set it's permissions to 700 (only owner can read, write and execute).
chmod -R 700 MY_FILES
- Set you domain permissions to 505 for increased security (owner and public can read and execute).
chmod -R 505 example.com
- Let's get the path to your new file directory.
- Copy the response (should be /home/XXX).
- It's time to tell Drupal where the new file system is. In admin/settings/file-system change the file path to what you copied before and the new file directory (e.g. /home/XXX/MY_FILES).
- Do the same for the temp directory (e.g. /home/XXX/MY_FILES/tmp)
- Optional: If you already have files uploaded you can change their location with the following SQL, although you should be very careful with such changes.
UPDATE files SET filepath=REPLACE(filepath, 'sites/default/files', '/home/XXX/MY_FILES')