File Management

PortalPress includes a file manager for sharing files with clients. The same file manager interface is used in both the admin portal and the client-facing portal.

Storage

Files are stored in wp-content/uploads/portalpress/{user_id}/. Each file is saved with a UUID filename — original filenames are stored in the database for display but never exposed on disk or in URLs.

The upload directory is protected with .htaccess rules that block direct access and disable PHP execution.

Uploading Files

Drag and drop files or use the upload button. Multiple files can be uploaded at once. Each upload is validated for:

  • File size (configurable, default 2 MB max)
  • File type (must be in an allowed category)
  • MIME type verification
  • Magic byte signature validation
  • Image files are re-encoded to strip embedded payloads

If two files have the same name in the same folder, PortalPress appends a number (e.g. “document (2).pdf”).

Folders

Create folders to organize files. Folders can be nested up to the configured maximum depth (default 3 levels). Folder hierarchy is maintained in the database — not as real filesystem directories.

Duplicate folder names are prevented within the same parent folder.

File Visibility

Files and folders can be set to:

  • Shared — visible to both the client and admins
  • Admin Only — visible only to admins in the backend portal

Toggle visibility from the admin file manager. Clients never see admin-only items.

Trash & Deletion

  • Trash — soft-deletes the item. Trashing a folder also trashes all its contents.
  • Restore — restores a trashed item (and folder contents) back to its original location.
  • Permanent Delete — removes the database record and the physical file from the server. This cannot be undone.

There is no automatic purge — permanent deletion is always a manual action.

Secure Downloads

Files are downloaded via PHP streaming. The download URL format is ?pp_download=FILE_ID. When a download is requested:

  1. User must be logged in
  2. File must be active (not trashed)
  3. Clients can only download their own shared files
  4. Admins can download any file

The real file path is never exposed to the browser.

Upload Notifications

When an admin uploads files to a client’s portal, you can notify the client via email. This behavior is controlled by the Upload Notification setting:

  • Always — automatically email the client
  • Never — never email the client
  • Ask each time — prompt the admin after uploading (default)