CosmautDL
CosmautDL
Description
CosmautDL is a multi-cloud download manager plugin for WordPress.
It turns scattered cloud-drive links into a clean “download card” experience, and provides dedicated download pages, a site-wide file-tree index, and click statistics for site owners.
Key features:
- Unified download card UI for posts/pages
- Dedicated download page route per post
- Redirect route to keep outbound links tidy
- File-tree page to browse all shared resources
- Click statistics stored in your own database
- Optional WeChat QR unlock workflow
- Assets loaded only when needed
Supported providers
Baidu Pan, 123Pan, Aliyun Drive, Tianyi Cloud, Quark, PikPak, Lanzou, Xunlei, Weiyun, OneDrive, Google Drive, Dropbox, MEGA, MediaFire, Box, and Other.
Routes (pretty permalinks recommended):
- Download page: /downloads/{post_id}.html (or ?cosmdl_download=1&post_id={id})
- File tree: /downloads/tree.html (or ?cosmdl_tree=1)
- Stats entry: /downloads/stats.html (or ?cosmdl_stats=1; admin-only)
- Redirect: /{prefix}/{post_id}/{type}.html (or ?cosmdl_redirect=1&post_id={id}&type={type})
Data and privacy overview:
- Stores download click logs in a custom table: {wp_prefix}cosmdl_clicks (post_id, type, attach_id, user_id, ip, ua, referer, success, created_at).
- Core features do not require external services.
Privacy/External Services
- Data Collection: The plugin records the IP, UA, Referer, and time of download clicks only for backend statistics and troubleshooting; data is stored in your database and never sent outside.
- External Services (Optional): When “IP Geolocation Display” is enabled, the admin backend queries ipapi/ip-api/ipinfo for geolocation; results are cached and displayed in wp-admin. No external requests occur when disabled.
- WeChat QR Unlock (Optional): Redirects the visitor browser to WeChat authorization (open.weixin.qq.com) and the server calls api.weixin.qq.com endpoints to exchange code for openid and check subscription. The plugin does not persist openid; it uses a short-lived unlock flag (~10 minutes) and caches the official account access_token (up to ~2 hours).
- User Control: You can disable these optional features at any time in plugin settings; uninstalling the plugin cleans up plugin-created data and caches.
- Compliance Note: In some jurisdictions, IP addresses are personal data; obtain consent or meet legal requirements before enabling IP geolocation.
External services
This plugin can connect to external services only when you enable related options.
1) WeChat OAuth and subscription check
- Service: WeChat / Tencent
- Purpose: Used for WeChat unlock mode authentication
- Endpoints:
- https://open.weixin.qq.com/connect/oauth2/authorize (OAuth authorize, visitor browser redirect)
- https://api.weixin.qq.com/sns/oauth2/access_token (exchange OAuth code for openid)
- https://api.weixin.qq.com/cgi-bin/token (fetch official account access_token)
- https://api.weixin.qq.com/cgi-bin/user/info (check subscription status)
- When: Only if you enable WeChat unlock in CosmautDL settings and visitors open the unlock URL in WeChat after scanning the QR code.
- Data sent:
- Visitor browser to open.weixin.qq.com: appid, redirect_uri, response_type, scope, state, and standard HTTP request metadata handled by WeChat (for example IP address and user agent).
- Your server to api.weixin.qq.com: appid, appsecret, OAuth code, grant_type; later access_token, openid, lang.
- Data stored (local): Does not store openid permanently; stores a short-lived unlock flag transient (10 minutes) and caches the official account access_token transient (up to ~2 hours, based on API expires_in).
- User control: You can disable this feature at any time in plugin settings.
- Data deletion: Transients expire automatically.
- Terms of Service: https://www.wechat.com/en/service_terms.html
- Privacy Policy: https://www.wechat.com/en/privacy_policy.html
2) IP geolocation lookup
- Services (selectable in settings):
- https://ipapi.co/
- https://ip-api.com/
- https://ipinfo.io/
- Purpose: To display IP location in admin download statistics
- When: Only if you enable Show IP location in stats and open stats details in wp-admin.
- Data sent: IP address from your click logs, from your server to the chosen provider (requests are cached).
- Caching: Results are cached for 168 hours (7 days) by default to reduce API calls.
- User control: You can disable this feature at any time in plugin settings.
- Data Flow: Your server to IP Geolocation API and back to your server (IP addresses are sent for location lookup)
- Privacy Impact: IP addresses are considered personal data in some jurisdictions; cached results help minimize exposure
- Data Deletion: Cached geolocation data automatically expires after 7 days; IP addresses in click logs can be deleted from admin stats page
- Terms of Service:
- ipapi: https://ipapi.co/terms/
- ip-api: https://ip-api.com/docs/legal
- ipinfo: https://ipinfo.io/terms-of-service
- Privacy Policies:
- ipapi: https://ipapi.co/privacy/
- ip-api: https://ip-api.com/docs/legal
- ipinfo: https://ipinfo.io/privacy-policy
Third-party libraries
phpqrcode
- Library: phpqrcode (LGPL-3.0)
- Purpose: On-site QR code generation for WeChat unlock functionality
- License: GNU Lesser General Public License v3.0
- License URI: https://www.gnu.org/licenses/lgpl-3.0.html
- Usage: Used for generating unlock QR codes without external dependencies
- Compatibility: LGPL-3.0 is compatible with GPLv3
Installation
- Upload the
cosmautdlfolder to/wp-content/plugins/. - Activate the plugin in Plugins.
- Go to CosmautDL in wp-admin and configure:
- Drive management (enable/rename/reorder)
- Route prefix
- Download page modules and optional unlock settings
- Edit a post/page, fill in cloud-drive links in the CosmautDL meta box, and publish.
Screenshots
Download card UI
Post editor meta box
File tree page
Faq
Edit a post/page, find the CosmautDL meta box, paste cloud-drive links (and extraction codes if any), then update/publish. The plugin renders the card automatically on the frontend.
Go to Settings > Permalinks and click Save Changes once to refresh rewrite rules. Also ensure your site supports pretty permalinks.
It stores click logs in your own database table, including post_id, drive type, IP, user agent, referer, timestamp, and related fields. This is used only for download statistics and can be deleted from the stats page.
No. External requests happen only if you enable:
- WeChat unlock
- IP geolocation in stats
Yes. You can change the redirect prefix in settings, and enable/rename/reorder providers in Drive management. There is also an Other type for custom links.
No. CosmautDL uses WordPress routing and template hooks and aims to be compatible with most themes. If your theme or cache plugin is aggressive, clear caches after changes.
CosmautDL is primarily tested on single-site installations. For multisite, please test in a staging site first.
Reviews
Changelog
1.0.9
- 2026-03-18 Maintenance: Align plugin version/readme stable tag, keep Text Domain consistency, and prepare stable release metadata for WordPress.org translation package generation.
1.0.8
- 2026-02-14 Maintenance: Tested up to WordPress 6.9, minor code improvements and compatibility enhancements.
1.0.7
- 2026-01-25 Maintenance: Bundle on-site QR code generation library for unlock QR rendering and tighten admin capability checks.
1.0.6
- 2026-01-15 Security: Comprehensive security hardening including SQL injection fix, AJAX URL hardcoding removal, nonce verification for download redirects, and full AJAX handler nonce checks.
1.0.5
- 2026-01-10 Security: Add nonce verification for admin AJAX actions.
1.0.4
- 2026-01-06 Fix download stats details expansion and ensure click logs capture IP/UA.
1.0.3
- 2026-01-03 Smart recognition of cloud drive links in the editor meta box.
1.0.2
- 2026-01-02 Initial release with download page, file tree, and click statistics.