Short answer
Mostly no, with one exception per provider where the cloud's API supports it. Most cloud APIs offer only "full account access" or no access at all, so there's no built-in way to scope the plugin's authorization to one folder.
What each provider offers
-
Google Drive: when you connect a Google account in the plugin, you can choose between Entire Drive and App Folder. App Folder gives the plugin access only to a dedicated
/WP Cloud Pluginsfolder it creates in your Drive. -
Dropbox: if you use your own custom Dropbox App, you can set it up in App folder mode rather than Full Dropbox. The plugin then only has access to
/Apps/YourAppName. See the Dropbox custom App guide. - OneDrive / SharePoint: the Microsoft Graph API does not currently offer an app-folder scope that the plugin can use. The connection grants access to the entire account.
- Box: the Box API doesn't offer an app-folder scope for this use case either. The connection grants access to the account.
Why we don't fake this in the admin UI
Some similar plugins offer a setting in their admin UI to "restrict access to a specific folder." We deliberately don't, because the underlying OAuth authorization token still grants full access to the cloud account. The UI restriction is security by obscurity, not real isolation. If you want true scoping, it has to happen at the cloud provider's authorization layer (the App Folder options above), not in our plugin.
What you can do instead
Limit each module to a specific folder
You can configure every module (File Browser, Gallery, Upload Box, etc.) to start in a specific folder. The plugin prevents visitors from navigating outside that folder. This limits what users see and can interact with, but it's not the same as limiting what the plugin's token can technically reach.
Use Dynamic Folders or Personal Folders
With Personal Folders (powered by Dynamic Folders), each user gets their own dedicated folder inside your linked cloud account. Each user only sees their own folder, never anyone else's content.
Use a separate cloud account
If none of the above fits, create a second cloud account (a "web-only" account or a Microsoft Service account, for example) and only put the folders you want exposed in it. Link that account to the plugin. This is the simplest way to fully isolate the plugin's reach without depending on app-folder scopes.