Docs
← Back to site

WooCommerce secure downloads

4 min readUpdated June 28, 2026

WP Media Cloud adds secure signed download support for WooCommerce downloadable products. When enabled, downloadable files stored in cloud storage are served via time-limited signed URLs rather than direct bucket URLs. This prevents customers from sharing or hotlinking download links after their purchase.

How secure downloads work#

By default, files stored in a cloud storage bucket are accessible to anyone who knows the URL. For WooCommerce downloadable products this creates a problem — a customer who purchases a file could share the direct bucket URL with anyone, bypassing your WooCommerce access controls entirely.

Signed URLs solve this by generating a URL that includes a cryptographic signature tied to an expiry time. The URL only works until it expires and cannot be shared usefully because the signature is specific to the request. When a customer clicks a download link in WooCommerce, WP Media Cloud generates a fresh signed URL for that file and redirects the customer to it. The signed URL expires shortly after, making it useless to share.

Supported providers#

Signed URL generation requires support from the storage provider. WP Media Cloud currently supports secure downloads on two providers:

  • Bunny Edge Storage — signed URLs are generated using Bunny’s token authentication system. Requires a token authentication key configured in your Bunny storage zone settings.
  • Cloudflare R2 — signed URLs are generated using AWS SigV4 signing, which R2 supports natively. No additional configuration is required in Cloudflare beyond your standard R2 credentials.

Secure downloads are not available on Amazon S3, Wasabi, DigitalOcean Spaces, Hetzner, Backblaze B2, Google Cloud Storage, or S3-compatible endpoints in the current release. On these providers, downloadable files are served via direct bucket URLs.

Setting up secure downloads on Bunny Edge Storage#

To enable signed downloads on Bunny Edge Storage:

  1. Log in to your Bunny dashboard and open your storage zone.
  2. Go to the Security tab and enable Token Authentication.
  3. Copy the token authentication key shown on that page.
  4. In WordPress, go to WP Media Cloud > Settings > Storage and paste the token authentication key into the Bunny Token Auth Key field.
  5. Enable the WooCommerce Secure Downloads option.
  6. Save settings.

Setting up secure downloads on Cloudflare R2#

To enable signed downloads on Cloudflare R2:

  1. Confirm your R2 credentials (Account ID, Access Key ID, and Secret Access Key) are correctly entered in WP Media Cloud > Settings > Storage.
  2. Enable the WooCommerce Secure Downloads option.
  3. Save settings.

No additional Cloudflare configuration is required. WP Media Cloud uses SigV4 signing with your existing R2 credentials to generate signed URLs.

Configuring the signed URL expiry time#

The expiry time controls how long a signed URL remains valid after it is generated. Go to WP Media Cloud > Settings > Storage and set the Signed URL Expiry value in seconds. The default is 300 seconds (5 minutes), which is sufficient for most downloads.

Set the expiry long enough that a customer on a slow connection can complete the download before the URL expires, but short enough that a shared URL is useless by the time someone else tries to use it. For large files, increase the expiry to account for longer download times.

Testing secure downloads#

To confirm signed downloads are working:

  1. Create a WooCommerce product with a downloadable file that has been offloaded to cloud storage.
  2. Place a test order for the product.
  3. Go to the order confirmation page or the WooCommerce downloads page and click the download link.
  4. Confirm the file downloads successfully.
  5. Copy the download URL from the browser’s network tab. It should contain a signature parameter or token query string rather than being a plain bucket URL.
  6. Wait for the expiry time to pass and try the URL again. It should return an access denied or expired error from the storage provider.

What happens on unsupported providers#

If you have WooCommerce secure downloads enabled but are using a provider that does not support signed URLs, WP Media Cloud will fall back to serving the direct bucket URL for downloads. No error is shown and downloads will still work, but the URLs will not be signed or time-limited.

This website uses cookies to enhance your browsing experience and ensure the site functions properly. By continuing to use this site, you acknowledge and accept our use of cookies.

Accept All Accept Required Only