How to Block People and Search Engines from Accessing WordPress File URLs

By default, all the files and images you upload to WordPress are publicly available.

This is great news for most sites. The goal of most sites is to create popular content that is viewed by as many readers as possible.

But this public access is a problem if you run a membership site and DO NOT want everyone reading your content. Yes, you can restrict the privacy of your posts, but people can still view your files if they know the URL.

The PublishPress Permissions Pro plugin makes it possible to block direct access to your media files. Even if someone knows the URL, they won't be able to access your files unless you give them the correct access.

  • Install the PublishPress Permissions Pro plugin.
  • Go to Permissions > Settings > File Access.
  • Check both the “Filter Uploaded File Attachments” and the “Make Unattached Files Private” boxes.
  • Click the link in the center of this screen. This will generate an .htaccess file to protect your files. This .htaccess file will be placed inside your site's /uploads/ folder.

There are three things to note about these settings:

  • This feature works for files uploaded through WordPress. If you uploaded files by FTP, click the “Attachments Utility” link.
  • If you're uploading new files regularly, it will be necessary to update the .htaccess file regularly. You can do this by creating a cron job for the URL on your screen.
  • If you're using a Nginx server, see this documentation about File Filtering with Nginx.