I thought I'd post this here as I see so many users who have certain doors and windows wide open on their Catalyst powered sites.
These basic security issues are not a Catalyst problem per se and are common to millions of WordPress powered sites. If you are one of those site owners it might be time to do some housekeeping - it's not difficult or technical.
What many WordPress users don't understand is that each time they upload a compressed file such as a plugin or theme via their WP-Admin, a copy of those zipped files remains on their server (usually) in their wp-content/uploads directory. If they do not then delete those zip files and have left their directories open to browsing, anyone can waltz in and download the files.
Try browsing to yourdomain.com/wp-content/uploads and see what happens. If you know the first thing about security you should see a "page not found" error or a "forbidden" error. If you see the contents of your directory you need to read on.......
Not only is this costing you bandwidth, it also makes you look a little foolish if you are trying to make sales as a Catalyst affiliate and have the theme and all the Dynamik child themes sitting on your server for free download :-) Or indeed any other plugin or theme.
The simplest way to turn off access to your directories is via .htaccess. There is one very effective plugin that can do the work for you and add significant additional hardening to your entire site - it's free from the plugin repository. If you prefer not to use plugins I've linked to an article of mine below that will show you exactly what to do and gives all relevant information (including a link to this and several other plugins) which I hope Catalyst members will find useful:
If you really don't want to harden your sites against script kiddies, hackers and casual nosy browsers, at least make sure you delete the zip files from your uploads directory after you have installed things - you don't need them there taking up space.