Control Direct File URL Access to WordPress Media Files
This tutorial explains how to control direct access to files in your WordPress Media Library. This means that you can manage access to images, documents and other uploads. This feature will work even if people know the URL of your files.
By default in WordPress, site visitors may blocked from accessing a post or page, but will still be able to access your files in that post or page. If they know the URL for a private file, they will still be able to view and download it.
You can solve this with the PublishPress Permissions Pro plugin.
How to protect your private files
- Go to “Permissions” then “Settings”.
- Make sure the “File Access” feature is enabled. It is normally disabled on a default install of PublishPress Permissions Pro.
- Click the “File Access” tab.
- The “Filter Uploaded File Attachments” box will be checked. This will block direct URL access to any uploaded files which are attached to posts that the user cannot read.
Now anyone who tries to visit the URL of a file they do not have access to will get a “404 – Page Not Found” error.
There are two extra features available on this screen:
- Make Unattached Files Private: This will make unattached files unreadable for most visitor. A user will need the edit_private_files or pp_list_all_files permission to see these files.
- Small Thumbnails Unfiltered: This may make your WordPress admin area run a little more quickly. This will remove filtering from small thumbnail versions of images.
Protection for files not uploaded via the WordPress admin
This feature will protect files uploaded via FTP and other non-WordPress methods. However, the files will not be filtered correctly until you run the “Attachment Utility”:
How the file protection works
This feature works by adding an .htaccess file to the /wp-content/uploads/ folder.
So to be protected, a file must be inside /wp-content/uploads/ or a subdirectory of it)
For each protected file, a separate RewriteRule is added to the /wp-content/uploads/.htaccess file.
File protection without .htaccess files
To output Nginx rewrite rules, define the following constants in wp-config.php:
define( 'PP_NGINX_CFG_PATH', '/path/to/your/supplemental/file.conf' ); define( 'PP_FILE_ROOT', '/wp-content' ); // typical configuration (modify with actual path to folder your uploads folder is in, relative to http root)
You will need to provide your own server scripts to trigger an Nginx reload upon config file update.
On network installations, rules from all sites are inserted into the same file, specified by PP_NGINX_CFG_PATH. Each site's rules are preceded by a distinguishing comment tag.
To disable .htaccess output, define the following constant (in addition to PP_NGINX_CFG_PATH):
define( 'PP_NO_HTACCESS', true );
You may manually force regeneration of Nginx or .htaccess rules by creating the file defined in this constant:
define( 'PP_FILE_REGEN_TRIGGER', '/path/to/your/trigger/file' );