First, bear in mind that when you use E-junkie's Remotely Hosted Downloads feature, we never expose your remote file URLs to buyers or the public at all., and in fact buyers have no way of knowing the source of their download did not originate from E-junkie's servers.
Your remote files should be "public" only in the sense that they can be accessed without restriction if the exact URL to each file is known, although those URLs are never exposed for anyone to discover, and E-junkie buyers would never know nor access your remote file URLs directly. It's rather like having an unlisted phone number; anyone who already knows your number can call you, but nobody else has any way of finding your number, or even knowing that you have a phone at all, if you don't tell them -- in this analogy, you would be giving your file's "unlisted number" only to us, and we don't share it with anybody else.
Ideally, you should place your download files on your server in a separate subfolder of their own, along with a blank file named
index.html to prevent browsing the directory list of files in that folder. That should make it impossible to access your remote files without knowing their exact URLs right down to the filename itself.
Any additional security would only protect against "brute force" hacking attempts, such as a hacker using automation to generate every possible combination of words or characters for a URL and trying them all until it blunders across a URL permutation that happens to point to a real file. The likelihood of anyone going to such extreme, time-consuming lengths just to get a copy of a file that you're already distributing to the public as a paid download is exceedingly remote; anyone that crooked and so-inclined would probably find it far easier to just use a stolen credit card or a hacked PayPal account to just buy the file fraudulently.
Security by obscurity
Brute-force URL-hacking attempts can be mitigated by nesting your files a few subdirectories deep and giving each folder a long, random, alphanumeric name generated from Random.org/strings/ -- e.g., something like this:
If you also make your original file name longer than the product name, then the filename assigned to buyer downloads would be derived from the shorter product name, making it harder to deduce the exact filename of the original file on your server.
Hosting your files on a completely different server or domain, apart from your main Web site server or not accessible via your main site's domain, would mean hackers cannot even presume the domain portion of the download file URL would be the same as your site; we often recommend Amazon S3 for secure, affordable file storage apart from regular Web site hosting.
Your Web hosting control panel may provide a way to add a password (aka "HTTP authentication") to the specific subdirectory holding your download files; if you set that up, you would simply configure the Remote Product File URL for your product to include the username/password you require to access that subdirectory, like so:
Apache Web server security
If you will be storing your remote download files on a typical BSD- or Linux-based Web server running the Apache Web serving software (this covers the majority of Web site hosting services out there), you can place your download files in their own subfolder, along with a plain text file named
.htaccess in that same folder; within that file, you would paste the following Apache directives, telling Apache to allow connections to that subfolder coming from the e-junkie.com domain and deny all other connections:
Allow from e-junkie.com
Allow from e-junkie.com