Elena Taylor December 25th, 2020

How to Protect WordPress Files & Uploads Folder

Content and files are the main assets of any WordPress site. While the website content can be protected by a password or membership plugins, there is no easy way to protect media files on your site.

As a matter of fact, membership or download plugins can secure and restrict your page and post URLs to logged-in users or paid members. However, media files embedded into content are still accessible to the public. In fact, anyone with direct links to those files can access and download them. They can even be hotlinked from other websites as well. 

This poses a threat to your WordPress site as your valuable files and gray matter can be stolen at any time.

In this article, we’ll provide you with multiple solutions on how to keep prying eyes out of your media files.

By the end of this article, you’ll know: 

  • How to restrict wp-content/uploads access to logged in users
  • How to prevent hotlinking of media files
  • How to Protect WordPress files with Prevent Direct Access Gold plugin 
  • How to protect WordPress uploads and media files

Let’s get started!

How to Restrict wp-content/uploads Access to Logged In Users

WordPress stores all of your images and media uploads in the wp-content/uploads directory. 

Imagine that you’re a singer and you make a living by selling music videos to registered members on your WordPress site. What happens if your albums in your wp-content/uploads folder are accessed by non-logged in users and leaked out? You’ll suffer a huge loss in revenue. To avoid that scenario, you need to play some tricks with the .htaccess file.

Note: There’s a good chance that you’ll modify some codes in the .htaccess file. In that case, remember to create a backup of your .htaccess file beforehand.

Open your .htaccess file in the root folder of your WordPress site and insert the following code snippet into it. 

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_COOKIE} !.*wordpress_logged_in.*$ [NC]
    RewriteCond %{REQUEST_URI} ^(.*?/?)wp-content/uploads/.* [NC]
    RewriteRule . http://%{HTTP_HOST}%1/wp-login.php?redirect_to=%{REQUEST_URI} [L,QSA]
</IfModule>

The codes above are used for full direct access restriction to all of the files residing in the wp-content/uploads folder. 

If you’d like to prevent direct access to only some specific files, copy and paste the codes below to your .htaccess file:

# Protect only some files within the uploads folder

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_COOKIE} !.*wordpress_logged_in.*$ [NC]
    RewriteCond %{REQUEST_URI} ^(.*?/?)wp-content/uploads/.*\.(?:gif|png|jpe?g|pdf|txt|rtf|html|htm|xlsx?|docx?|mp3|mp4|mov)$ [NC]
    RewriteRule . http://%{HTTP_HOST}%1/wp-login.php?redirect_to=%{REQUEST_URI} [L,QSA]
</IfModule>

How do the two code snippets above work?

In the fourth line, the mod_rewrite module checks to see if there’s a cookie whose name contains “wordpress_logged_in.” If not, it means that the user is not logged in. 

The next rule checks if the user is trying to access any files in the wp-content/uploads folder. 

The final line redirects the user to a login page. If they successfully log in, they will be taken to the files they’re trying to access. 

We’ve shown you how to restrict the direct access to files in the wp-content/uploads folder against non-logged in users. Let’s move to the next part of how to prevent your media files from hotlinking.  

How to Prevent Hotlinking of Media Files

Hotlinking happens when other people use images and other media files, such as videos, and audios from your website and embed them directly on their site. Unless you allow them to hotlink your media files by providing the embed code, that’s considered stealing and violating copyright infringement. It also takes up your server bandwidth and resources.

To prevent hotlinking of your images and other media files, you first need to upload all of your important media files to another directory, then add the following code snippet to your .htaccess file:

# BEGIN Hotlinking Protection

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^$ 
RewriteCond %{HTTP_REFERER} !^http://(www.)?domain.com/wp-content/uploads/important/.*$ [NC]
RewriteRule .(gif|jpg|jpeg|bmp|zip|rar|mp3|mp4|flv|swf|xml|php|png|css|pdf) $ - [NC,F,L]

Make sure that you replace “domain.com” with your site.

If you want to show a “No Hotlinking” custom page instead of a usual error message to those who hotlink your media files, just modify the “RewriteRule” in the codes below a bit:

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^$ 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com/wp-content/uploads/important/.*$ [NC]
RewriteRule.(gif|jpg|jpeg|bmp|zip|rar|mp3|mp4|flv|swf|xml|php|png|css|pdf)$ http://www.domain.com/no-hot-linking.jpg - [NC,F,L]

In the codes above, “http://domain.com/no-hot-linking.jpg” is the direct link to the image you’re using as a customized error message.

You can also add a few tweaks to that code snippet for redirection purposes. By changing the final line to a specific URL of your homepage or a landing page, you can request users to become a member to access your media files. 

In case you’d like to deny hotlinking but still allow certain search engines and social media platforms to access your files, you can add the following code snippet to your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain.com/wp-content/uploads/important/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteRule .(gif|jpg|jpeg|bmp|zip|rar|mp3|mp4|flv|swf|xml|php|png|css|pdf)$ http://www.domain.com/no-hot-linking.jpg - [NC,F,L]

Don’t forget to replace “domain.com” with the actual website name.

The .htaccess method seems straightforward and practical indeed. However, if you’re a complete WordPress novice and not so confident when it comes to codes, you should consider using a plugin to block direct access to your files.  

It’s when the Prevent Direct Access (PDA) Gold plugin comes to play!

Limit WordPress Media Library Access with PDA Gold

Prevent Direct Access (PDA) Gold offers a friendly and effective solution to prevent your WordPress files from being indexed by search engines and stolen by unwanted users. The plugin protects unlimited media files and all file types such as images (PNG, JPEG), documents (PDF, DOCX, PPTX), audios, and videos (MP4, MP3) that you upload to your website under Media Library or via Media, Pages or Posts.

What’s more, PDA Gold enables you to set user permissions with a few simple clicks. 

Let’s explore PDA Gold key features.

Restrict WordPress Media Visibility to Authorized Users 

Once protected by PDA Gold, your private files will no longer be accessible to anyone except those you’ve granted permission.

Customizing the “No Access” page: The plugin allows you to show your custom page instead of the 404 error message. You can request unauthorized users to login, become a member to access the protected files by redirecting them to a registration or login page.   

Restricting access by IP addresses: Prevent Direct Access  enables you to take total control over your private download links by blocking unwanted IP addresses accessing your files. Plus, with the Gold version, you’ll be able to also set auto expiration on numbers of clicks or days.  

Block Google Indexing of Private Files

The plugin informs Google and other search engines not to index any of your protected files. Your protected files and download links won’t be shown up on the search results. 

PDA Gold also comes with basic WordPress security features.

Block access to WordPress uploads directory: Under the plugin protection, the wp-content/uploads folder where you store all media uploads will be safe from outsiders. No one will be able to sneak and browse your media files any more.  

Preventing image and file hotlinking: Thanks to this feature, no one can steal and use your images and files without permission. It restricts usage of your media files, which stops others from sneakily embedding these URLs into their websites.

How to Protect WordPress Uploads and File Downloads

So how to secure WordPress files using Prevent Direct Access?

First, you need to install the Prevent Direct Access Lite and Gold plugin on your WordPress dashboard, under “Plugins.”

Now, start to protect your media files.

  • Click on “Media.”
  • Choose “List View” mode.
  • There’s an extra column named “Prevent Direct Access” generated by the plugin. Click on “Protect this file” option if you want to prevent others from accessing that file. 
  • The file is now protected. 

Make sure that you clear all caches, including your hosting cache, cache plugins, and browser cache. Your important files and their private links may not be protected correctly if they’re cached. 

Grant Private Files Access to certain Domains/Referrer URLs

Apart from preventing direct access and hotlinking to your file URL, another key feature that you want to achieve is to allow access from your own or certain desired domains.

In other words, you can restrict file access to certain users depending on where they come from, i.e. referer links

For example, you can specify only those who come from youraffiliatewebsite.com can download your private PDF files. Those with direct file URL won’t be able to do so.

Folder Protection: Protect WordPress Directories

Instead of protecting files individually, you can block direct access to all files under a particular folder with Access Restriction on top of PDA Gold.

To use the folder protection feature, simply select a folder at the root or WordPress uploads directory to get started with. Then choose which user roles or username who can access those folders directly. 

You can also select which file types to protect on those directories, e.g. only PNG and PPT.

Secure WordPress Files & Uploads Directory Now

We’ve provided you with 2 efficient solutions to prevent direct access to your wp-content/uploads folder as well as securing your WordPress media files against hotlinking and unauthorized users. 

You can either add some code snippets in your .htaccess file or take the soft option of using the Prevent Direct Access Gold plugin. Always bear in mind to back up your .htaccess file and your site beforehand, since a small error made in that file can break your site severely.  

What are you still waiting for? Protect your valuable files and media now.

Let us know what solution you’re using to block direct access to your media files by leaving a comment below.


Photo by Jon Moore on Unsplash

Elena Taylor

Being a dedicated content writer, Elena loves diving into the diverse world of WordPress plugins and security solutions in particular. Online piracy, file protection, and content security as well as intellectual property protection have long been her concerns, hence Elena spends most of her time researching and supporting sustainable development.

One comment

  1. This is an important and helpful article.

    I would have one suggestion for improvement for the one line in both variants of the .htaccess file:

    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com/wp-content/uploads/important/.*$ [NC]

Leave a Reply

Your email address will not be published. Required fields are marked *