Source evidence

Forbidden

PDF.js Viewer · support · 2025-08-19T21:51:00+00:00

PDF.js Viewer plugin evidence original source source API

mixedsentiment

highseverity

0.95relevance

5replies

Evidence linked to opportunitycommercial context

Proof Health

Open evidence

Commercial opportunities need traceable source links before they are treated as build-worthy.

4 / 33 rows with source links

12.1% of this page's analysis has direct source links.

0 build-decision rows missing links

0 rows here require auditable proof before promotion.

29 rows with no attached evidence

0 rows have source counts but still need direct links.

Conversation

support

mcyzyk resolved

I am finding that, in order for this plugin to continue to function post-upgrade, you must remember to create an .htaccess file for it in the following folder: wordpress/wp-content/plugins/pdfjs-viewer-shortcode/pdfjs/web/.htaccess Inside this .htaccess file: # Allow direct access to PDF viewer PHP file. # This is required for embedded PDFs to display. # This rule will superceed the security rule above # defined in /wp-content/.htaccess that blocks # direct access to PHP files. <Files viewer.php> allow from all </Files> Then make sure Apache owns the file: sudo chown apache:apache ./.htaccess If you don’t remember to do this, you’ll get a PDF Forbidden error after you’ve upgraded. Maybe this .htaccess file can become part of the upgrade payload? I’m guessing that has more to do with your specific server setup, but I can look into it. I do not recall ever setting anything in my root .htaccess file regarding this, but I’m betting the security plugin we use here (Wordfence) did. If you were to put that plugin-specific .htaccess file in this plugin’s codebase, though, no harm done? And it would solve a previously vexing issue for other folks who may run into the Forbidden message? And yet, related: https://wordpress.org/support/topic/security-compatibility-concern-plugin-is-calling-php-files-directly/ Did you figure this out? With thousands of installs, no one has had .htaccess issues. In that case, I guess it was idiosyncratic to my local setup. (I’m betting my Wordfence was blocking it, somehow…)

Commercial Context

Opportunity

media publishing and video operations

Embed media delivery assurance for keeping media embeds, galleries, watermarks, and video experiences reliable

Buyer: publishers, creators, agencies, and media-heavy site owners

Wedge: test embeds, players, thumbnails, browser behavior, and asset delivery failures

Proof Blocked card complete market

Analysis

heuristic-v1

Summary: Forbidden: users show security, bugs, compatibility pain that may indicate a product gap.

Evidence quote: Forbidden I am finding that, in order for this plugin to continue to function post-upgrade, you must remember to create an .htaccess file for it in the following folder: wordpress/wp-content/plugins/pdfjs-viewer-shortcode/pdfjs/web/.htaccess Inside this .htaccess file: # Allow direct access to PDF viewer PHP file.

Affected feature: security

security bugs compatibility missing feature

Plugin

API

PDF.js Viewer

20.0K active installs · 436.1K downloads · rating 88.0

embed mozilla pdf pdfjs viewer

Comments

5 shown

Thomas McMahon 2025-08-20T13:10:00+00:00

I’m guessing that has more to do with your specific server setup, but I can look into it.

mcyzyk 2025-08-20T14:40:00+00:00

I do not recall ever setting anything in my root .htaccess file regarding this, but I’m betting the security plugin we use here (Wordfence) did. If you were to put that plugin-specific .htaccess file in this plugin’s codebase, though, no harm done? And it would solve a previously vexing issue for other folks who may run into the Forbidden message?

mcyzyk 2025-08-20T15:37:00+00:00

And yet, related: https://wordpress.org/support/topic/security-compatibility-concern-plugin-is-calling-php-files-directly/

Thomas McMahon 2025-12-12T13:38:00+00:00

Did you figure this out? With thousands of installs, no one has had .htaccess issues.

mcyzyk 2025-12-12T13:47:00+00:00

In that case, I guess it was idiosyncratic to my local setup. (I’m betting my Wordfence was blocking it, somehow…)