How To Protect Content Uploads Wordpress

Content and files are the main assets of any WordPress site. While the website content can be protected by a password or membership plugins, there is no easy fashion to protect media files on your site.

Every bit a matter of fact, membership or download plugins can secure and restrict your page and post URLs to logged-in users or paid members. Withal, media files embedded into content are however accessible to the public. In fact, anyone with straight links to those files tin can access and download them. They can even be hotlinked from other websites equally well.

This poses a threat to your WordPress site as your valuable files and gray affair can exist stolen at whatever time.

In this article, we'll provide you with multiple solutions on how to go on prying eyes out of your media files.

By the cease of this article, y'all'll know:

How to restrict wp-content/uploads access to logged in users
How to preclude hotlinking of media files
How to Protect WordPress files with Prevent Directly Access Gold plugin
How to protect WordPress uploads and media files

Allow's get started!

How to Restrict wp-content/uploads Access to Logged In Users

WordPress stores all of your images and media uploads in the wp-content/uploads directory.

Imagine that you're a vocaliser and yous make a living by selling music videos to registered members on your WordPress site. What happens if your albums in your wp-content/uploads folder are accessed by non-logged in users and leaked out? Y'all'll endure a huge loss in acquirement. To avoid that scenario, y'all demand to play some tricks with the .htaccess file.

Note: There'southward a good chance that you'll modify some codes in the .htaccess file. In that case, think to create a backup of your .htaccess file beforehand.

Open up your .htaccess file in the root folder of your WordPress site and insert the post-obit code snippet into information technology.

          <IfModule mod_rewrite.c>     RewriteEngine On     RewriteCond %{HTTP_COOKIE} !.*wordpress_logged_in.*$ [NC]     RewriteCond %{REQUEST_URI} ^(.*?/?)wp-content/uploads/.* [NC]     RewriteRule . http://%{HTTP_HOST}%one/wp-login.php?redirect_to=%{REQUEST_URI} [Fifty,QSA] </IfModule>

The codes to a higher place are used for full directly access restriction to all of the files residing in the wp-content/uploads folder.

If you lot'd similar to preclude direct access to simply some specific files, re-create and paste the codes below to your .htaccess file:

# Protect merely some files within the uploads folder

          <IfModule mod_rewrite.c>     RewriteEngine On     RewriteCond %{HTTP_COOKIE} !.*wordpress_logged_in.*$ [NC]     RewriteCond %{REQUEST_URI} ^(.*?/?)wp-content/uploads/.*\.(?:gif|png|jpe?g|pdf|txt|rtf|html|htm|xlsx?|docx?|mp3|mp4|mov)$ [NC]     RewriteRule . http://%{HTTP_HOST}%1/wp-login.php?redirect_to=%{REQUEST_URI} [L,QSA] </IfModule>

How do the two code snippets higher up work?

In the fourth line, the mod_rewrite module checks to see if at that place'south a cookie whose name contains "wordpress_logged_in." If not, it ways that the user is not logged in.

The next dominion checks if the user is trying to access any files in the wp-content/uploads folder.

The concluding line redirects the user to a login page. If they successfully log in, they volition be taken to the files they're trying to access.

We've shown you how to restrict the directly admission to files in the wp-content/uploads folder against non-logged in users. Let's motility to the next part of how to prevent your media files from hotlinking.

How to Prevent Hotlinking of Media Files

Hotlinking happens when other people employ images and other media files, such as videos, and audios from your website and embed them directly on their site. Unless yous allow them to hotlink your media files by providing the embed code, that's considered stealing and violating copyright infringement. Information technology also takes up your server bandwidth and resources.

To foreclose hotlinking of your images and other media files, you first need to upload all of your important media files to another directory, then add the following code snippet to your .htaccess file:

# BEGIN Hotlinking Protection

          RewriteEngine on  RewriteCond %{HTTP_REFERER} !^$  RewriteCond %{HTTP_REFERER} !^http://(www.)?domain.com/wp-content/uploads/important/.*$ [NC] RewriteRule .(gif|jpg|jpeg|bmp|zip|rar|mp3|mp4|flv|swf|xml|php|png|css|pdf) $ - [NC,F,L]

Make sure that you replace "domain.com" with your site.

If you want to testify a "No Hotlinking" custom page instead of a usual error message to those who hotlink your media files, just change the "RewriteRule" in the codes below a fleck:

          RewriteEngine on  RewriteCond %{HTTP_REFERER} !^$  RewriteCond %{HTTP_REFERER} !^http://(world wide web\.)?domain.com/wp-content/uploads/important/.*$ [NC] RewriteRule.(gif|jpg|jpeg|bmp|zip|rar|mp3|mp4|flv|swf|xml|php|png|css|pdf)$ http://www.domain.com/no-hot-linking.jpg - [NC,F,L]

In the codes above, "http://domain.com/no-hot-linking.jpg" is the straight link to the image you're using as a customized error bulletin.

You tin too add together a few tweaks to that code snippet for redirection purposes. By changing the concluding line to a specific URL of your homepage or a landing page, yous can asking users to become a member to admission your media files.

In instance you'd like to deny hotlinking simply still let certain search engines and social media platforms to access your files, you tin add the post-obit lawmaking snippet to your .htaccess file:

          RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(world wide web\.)?domain.com/wp-content/uploads/of import/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http(due south)?://(www\.)?google.com [NC] RewriteCond %{HTTP_REFERER} !^http(southward)?://(www\.)?bing.com [NC] RewriteCond %{HTTP_REFERER} !^http(south)?://(www\.)?yahoo.com [NC] RewriteRule .(gif|jpg|jpeg|bmp|zip|rar|mp3|mp4|flv|swf|xml|php|png|css|pdf)$ http://world wide web.domain.com/no-hot-linking.jpg - [NC,F,50]

Don't forget to supervene upon "domain.com" with the actual website name.

The .htaccess method seems straightforward and practical indeed. However, if you're a complete WordPress novice and not so confident when it comes to codes, you should consider using a plugin to block direct admission to your files.

It's when the Prevent Straight Access (PDA) Golden plugin comes to play!

Limit WordPress Media Library Access with PDA Gold

Prevent Direct Access (PDA) Golden offers a friendly and effective solution to forestall your WordPress files from beingness indexed by search engines and stolen by unwanted users. The plugin protects unlimited media files and all file types such as images (PNG, JPEG), documents (PDF, DOCX, PPTX), audios, and videos (MP4, MP3) that you lot upload to your website under Media Library or via Media, Pages or Posts.

What'due south more, PDA Aureate enables you to gear up user permissions with a few simple clicks.

Let's explore PDA Gold key features.

Restrict WordPress Media Visibility to Authorized Users

Once protected by PDA Gold, your private files will no longer be accessible to anyone except those you've granted permission.

Customizing the "No Access" folio: The plugin allows you to show your custom page instead of the 404 error message. You tin request unauthorized users to login, go a member to admission the protected files by redirecting them to a registration or login folio.

Restricting access past IP addresses: Prevent Direct Admission enables you to take total control over your private download links by blocking unwanted IP addresses accessing your files. Plus, with the Golden version, you'll be able to besides set auto expiration on numbers of clicks or days.

Block Google Indexing of Individual Files

The plugin informs Google and other search engines not to index any of your protected files. Your protected files and download links won't exist shown upwards on the search results.

PDA Gilded also comes with basic WordPress security features.

Block admission to WordPress uploads directory: Nether the plugin protection, the wp-content/uploads folder where you store all media uploads will exist safe from outsiders. No 1 will be able to sneak and browse your media files whatever more than.

Preventing image and file hotlinking: Thanks to this characteristic, no ane tin can steal and use your images and files without permission. It restricts usage of your media files, which stops others from sneakily embedding these URLs into their websites.

How to Protect WordPress Uploads and File Downloads

And so how to secure WordPress files using Prevent Direct Access?

Showtime, you need to install the Preclude Direct Admission Low-cal and Gold plugin on your WordPress dashboard, under "Plugins."

At present, commencement to protect your media files.

Click on "Media."

Choose "List View" mode.

There's an extra column named "Prevent Direct Access" generated by the plugin. Click on "Protect this file" option if you desire to prevent others from accessing that file.

The file is at present protected.

Brand sure that you clear all caches, including your hosting cache, cache plugins, and browser cache. Your important files and their private links may not be protected correctly if they're cached.

Grant Individual Files Access to certain Domains/Referrer URLs

Autonomously from preventing directly access and hotlinking to your file URL, another fundamental characteristic that you lot want to achieve is to permit access from your own or certain desired domains.

In other words, you lot can restrict file access to certain users depending on where they come from, i.e. referer links.

For example, you lot can specify just those who come from youraffiliatewebsite.com can download your private PDF files. Those with direct file URL won't be able to do so.

Folder Protection: Protect WordPress Directories

Instead of protecting files individually, yous tin can block direct access to all files under a item folder with Access Restriction on tiptop of PDA Gold.

To employ the binder protection feature, simply select a folder at the root or WordPress uploads directory to get started with. And then choose which user roles or username who can access those folders direct.

You tin also select which file types to protect on those directories, e.g. only PNG and PPT.

Secure WordPress Files & Uploads Directory At present

We've provided you lot with 2 efficient solutions to prevent directly access to your wp-content/uploads binder likewise as securing your WordPress media files against hotlinking and unauthorized users.

You tin can either add some code snippets in your .htaccess file or take the soft option of using the Prevent Direct Access Aureate plugin. Ever carry in mind to back up your .htaccess file and your site beforehand, since a pocket-sized error fabricated in that file tin can break your site severely.

What are y'all still waiting for? Protect your valuable files and media now.

Allow us know what solution you're using to block directly access to your media files past leaving a comment below.

Photo by Jon Moore on Unsplash