BreakColorUI Secure Download Button

A secure download element for Breakdance that protects file URLs using signed requests instead of exposing direct media library links.

Why

By default, WordPress exposes direct file URLs (e.g. /wp-content/uploads/…). Anyone can copy and reuse them, bypassing access control.

This element replaces public links with signed URLs using a query parameter and HMAC signature, ensuring controlled and secure downloads.

Key Features

Security

• Signed URLs: HMAC-SHA256 signatures tied to WordPress salts
• Attachment Validation: Strict validation using get_post_type()
• File Protection: Blocks execution of dangerous file types (.php, .phtml, etc.)
• Path Security: Prevents directory traversal outside uploads folder
• Secure Headers: nocache_headers() and X-Content-Type-Options: nosniff
• Safe Delivery: Files served via readfile() after clearing buffers

UX

• Dual Mode: Download files or copy text/code/links
• Smart Feedback: “Preparing…” → “Downloaded!” / “Copied!” with spinner
• File Info: Optional extension and human-readable file size display
• Custom Labels: Separate text for Download and Copy actions
• Flexible Icons: Left/right position, custom SVG, or default icons

Developer

• Dynamic Data: Full Breakdance dynamic data support
• Clipboard Fallback: Works in non-secure contexts (HTTP/local dev)
• Translation Ready: Includes .pot file
• Lightweight: No external dependencies beyond Breakdance

Requirements

• WordPress 6.x
• PHP 8.0+
• Breakdance (active)

Install

• Download the latest ZIP release
• Go to Plugins → Add New → Upload Plugin
• Upload, install, and activate
• Add the “Download Button” element in Breakdance (Other category)

Usage

• Add the Download Button element to your page
• Choose Action: Download or Copy
• Download Mode: Select a file from the media library
• Copy Mode: Add text/code/link or auto-copy the signed file URL
• Customize design: text, icon, spacing, borders, typography