Control Direct File URL Access to WordPress Media Files

This tutorial explains how to control direct access to files in your WordPress Media Library. This means that you can manage access to images, documents and other uploads. This feature will work even if people know the URL of your files.

By default in WordPress, site visitors may blocked from accessing a post or page, but will still be able to access your files in that post or page. If they know the URL for a private file, they will still be able to view and download it.

You can solve this with the PublishPress Permissions Pro plugin.

How to protect your private files #

  • Go to “Permissions” then “Settings”.
  • Make sure the “File Access” feature is enabled. It is normally disabled on a default install of PublishPress Permissions Pro.
File Attachment
File Attachment
  • Click the “File Access” tab.
  • The “Filter Uploaded File Attachments” box will be checked. This will block direct URL access to any uploaded files which are attached to posts that the user cannot read. 
Filter Uploaded File
Filter Uploaded File

Now anyone who tries to visit the URL of a file they do not have access to will get a “404 – Page Not Found” error.

There are two extra features available on this screen:

  • Filter Uploaded File Attachments: This will block direct URL access to images and other uploaded files in the WordPress uploads folder which are attached to posts that the user cannot read. For each protected file, a separate RewriteRule will be added to the .htaccess file in this site's uploads folder. Non-protected files are returned with no script execution whatsoever.
  • Make Unattached Files Private: This will make unattached files unreadable for most visitor. A user will need the edit_private_files or pp_list_all_files permission to see these files.
Extra File Permissions

Protection for files not uploaded via the WordPress admin #

This feature will protect files uploaded via FTP and other non-WordPress methods. However, the files will not be filtered correctly until you run the “Attachment Utility”:

Attachments Utility
Attachments Utility

How the file protection works #

This feature works by adding an .htaccess file to the /wp-content/uploads/ folder.

So to be protected, a file must be inside /wp-content/uploads/ or a subdirectory of it) 

For each protected file, a separate RewriteRule is added to the /wp-content/uploads/.htaccess file.

File protection without .htaccess files #

To output Nginx rewrite rules, define the following constants in wp-config.php:

    define( 'PP_NGINX_CFG_PATH', '/path/to/your/supplemental/file.conf' );
    define( 'PP_FILE_ROOT', '/wp-content' );  // typical configuration (modify with actual path to folder your uploads folder is in, relative to http root) 

You will need to provide your own server scripts to trigger an Nginx reload upon config file update.

On network installations, rules from all sites are inserted into the same file, specified by PP_NGINX_CFG_PATH. Each site's rules are preceded by a distinguishing comment tag.

To disable .htaccess output, define the following constant (in addition to PP_NGINX_CFG_PATH):

define( 'PP_NO_HTACCESS', true );

You may manually force regeneration of Nginx or .htaccess rules by creating the file defined in this constant:

define( 'PP_FILE_REGEN_TRIGGER', '/path/to/your/trigger/file' );