How to Protect WordPress Files & Uploads Folder

Windows

 

 
 

Content and files are the main assets of any WordPress site. While the website content can be protected by a password or membership plugins, there is no easy way to protect media files on your site.

As a matter of fact, membership or download plugins can secure and restrict your page and post URLs to logged-in users or paid members. However, media files embedded into content are still accessible to the public. In fact, anyone with direct links to those files can access and download them. They can even be hotlinked from other websites as well. 

This poses a threat to your WordPress site as your valuable files and gray matter can be stolen at any time.

In this article, we’ll provide you with multiple solutions on how to keep prying eyes out of your media files.

By the end of this article, you’ll know: 

  • How to restrict wp-content/uploads access to logged in users
  • How to prevent hotlinking of media files
  • How to Protect WordPress files with Prevent Direct Access Gold plugin 
  • How to protect WordPress uploads and media files

Let’s get started!

 

 

How to Restrict wp-content/uploads Access to Logged In Users

WordPress stores all of your images and media uploads in the wp-content/uploads directory. 

Imagine that you’re a singer and you make a living by selling music videos to registered members on your WordPress site. What happens if your albums in your wp-content/uploads folder are accessed by non-logged in users and leaked out? You’ll suffer a huge loss in revenue. To avoid that scenario, you need to play some tricks with the .htaccess file.

Note: There’s a good chance that you’ll modify some codes in the .htaccess file. In that case, remember to create a backup of your .htaccess file beforehand.

Open your .htaccess file in the root folder of your WordPress site and insert the following code snippet into it. 

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_COOKIE} !.*wordpress_logged_in.*$ [NC]
    RewriteCond %{REQUEST_URI} ^(.*?/?)wp-content/uploads/.* [NC]
    RewriteRule . http://%{HTTP_HOST}%1/wp-login.php?redirect_to=%{REQUEST_URI} [L,QSA]
</IfModule>

The codes above are used for full direct access restriction to all of the files residing in the wp-content/uploads folder. 

If you’d like to prevent direct access to only some specific files, copy and paste the codes below to your .htaccess file:

# Protect only some files within the uploads folder

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_COOKIE} !.*wordpress_logged_in.*$ [NC]
    RewriteCond %{REQUEST_URI} ^(.*?/?)wp-content/uploads/.*\.(?:gif|png|jpe?g|pdf|txt|rtf|html|htm|xlsx?|docx?|mp3|mp4|mov)$ [NC]
    RewriteRule . http://%{HTTP_HOST}%1/wp-login.php?redirect_to=%{REQUEST_URI} [L,QSA]
</IfModule>

How do the two code snippets above work?

In the fourth line, the mod_rewrite module checks to see if there’s a cookie whose name contains “wordpress_logged_in.” If not, it means that the user is not logged in. 

The next rule checks if the user is trying to access any files in the wp-content/uploads folder. 

The final line redirects the user to a login page. If they successfully log in, they will be taken to the files they’re trying to access. 

We’ve shown you how to restrict the direct access to files in the wp-content/uploads folder against non-logged in users. Let’s move to the next part of how to prevent your media files from hotlinking.  

 

 

How to Prevent Hotlinking of Media Files

Hotlinking happens when other people use images and other media files, such as videos, and audios from your website and embed them directly on their site. Unless you allow them to hotlink your media files by providing the embed code, that’s considered stealing and violating copyright infringement. It also takes up your server bandwidth and resources.

To prevent hotlinking of your images and other media files, you first need to upload all of your important media files to another directory, then add the following code snippet to your .htaccess file:

# BEGIN Hotlinking Protection

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^$ 
RewriteCond %{HTTP_REFERER} !^http://(www.)?domain.com/wp-content/uploads/important/.*$ [NC]
RewriteRule .(gif|jpg|jpeg|bmp|zip|rar|mp3|mp4|flv|swf|xml|php|png|css|pdf) $ - [NC,F,L]

Make sure that you replace “domain.com” with your site.

If you want to show a “No Hotlinking” custom page instead of a usual error message to those who hotlink your media files, just modify the “RewriteRule” in the codes below a bit:

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^$ 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com/wp-content/uploads/important/.*$ [NC]
RewriteRule.(gif|jpg|jpeg|bmp|zip|rar|mp3|mp4|flv|swf|xml|php|png|css|pdf)$ http://www.domain.com/no-hot-linking.jpg - [NC,F,L]

In the codes above, “http://domain.com/no-hot-linking.jpg” is the direct link to the image you’re using as a customized error message.

You can also add a few tweaks to that code snippet for redirection purposes. By changing the final line to a specific URL of your homepage or a landing page, you can request users to become a member to access your media files. 

In case you’d like to deny hotlinking but still allow certain search engines and social media platforms to access your files, you can add the following code snippet to your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com/wp-content/uploads/important/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteRule .(gif|jpg|jpeg|bmp|zip|rar|mp3|mp4|flv|swf|xml|php|png|css|pdf)$ http://www.domain.com/no-hot-linking.jpg - [NC,F,L]

Don’t forget to replace “domain.com” with the actual website name.