Search

Table of Contents

Control Direct File URL Access to WordPress Media Files

You are here:

This tutorial explains how to control direct access to files in your WordPress Media Library. This means that you can manage access to images, documents and other uploads. This feature will work even if people know the URL of your files.

By default in WordPress, site visitors may blocked from accessing a post or page, but will still be able to access your files in that post or page. If they know the URL for a private file, they will still be able to view and download it.

You can solve this with the PublishPress Permissions Pro plugin.


How to protect your private files

  • Go to “Permissions” then “Settings”.
  • Make sure the “File Access” feature is enabled. It is normally disabled on a default install of PublishPress Permissions Pro.
File Attachment
File Attachment
  • Click the “File Access” tab.
  • The “Filter Uploaded File Attachments” box will be checked. This will block direct URL access to any uploaded files which are attached to posts that the user cannot read. 
Filter Uploaded File
Filter Uploaded File

Now anyone who tries to visit the URL of a file they do not have access to will get a “404 – Page Not Found” error.

There are two extra features available on this screen:

  • Make Unattached Files Private: This will make unattached files unreadable for most visitor. A user will need the edit_private_files or pp_list_all_files permission to see these files.
  • Small Thumbnails Unfiltered: This may make your WordPress admin area run a little more quickly. This will remove filtering from small thumbnail versions of images.
Extra File Permissions
Extra File Permissions

Protection for files not uploaded via the WordPress admin

This feature will protect files uploaded via FTP and other non-WordPress methods. However, the files will not be filtered correctly until you run the “Attachment Utility”:

Attachments Utility
Attachments Utility

How the file protection works

This feature works by adding an .htaccess file to the /wp-content/uploads/ folder.

So to be protected, a file must be inside /wp-content/uploads/ or a subdirectory of it) 

For each protected file, a separate RewriteRule is added to the /wp-content/uploads/.htaccess file.


File protection without .htaccess files

To output Nginx rewrite rules, define the following constants in wp-config.php:

    define( 'PP_NGINX_CFG_PATH', '/path/to/your/supplemental/file.conf' );
    define( 'PP_FILE_ROOT', '/wp-content' );  // typical configuration (modify with actual path to folder your uploads folder is in, relative to http root) 

You will need to provide your own server scripts to trigger an Nginx reload upon config file update.

On network installations, rules from all sites are inserted into the same file, specified by PP_NGINX_CFG_PATH. Each site's rules are preceded by a distinguishing comment tag.

To disable .htaccess output, define the following constant (in addition to PP_NGINX_CFG_PATH):

define( 'PP_NO_HTACCESS', true );

You may manually force regeneration of Nginx or .htaccess rules by creating the file defined in this constant:

define( 'PP_FILE_REGEN_TRIGGER', '/path/to/your/trigger/file' );

Professional publishing plugins for WordPress! Get PublishPress