How to restrict access to uploaded files?

by

I have a restricted area on a website that can only be accessed by logged in users. For that I created a page template with a ‘current_user_can()’ condition.

My problem is that the documents attached to the restricted pages are still accessible to anyone if you put the complete path into the browsers address bar.

Is there a way to restrict the access to uploaded files ?

EDIT : I want to clarify, the files should be accessible only to logged in users.

Contents hide
Answers:
Method 1
Method 2
Method 3
Method 4

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

This isn’t really a WordPress question – but you can add a rewrite rule to prevent access unless the referrer is your own domain.
[Update]
You’ll need to do 2 things

  1. Add a rewrite rule (either directly with .htaccess or by using WP_rewrite (Codex reference). The aim here is to deny requests to your documents that don’t have your domain as a referrer – this stops people pasting the link into a browser’s address bar
  2. Wrap your download links in an is_user_logged_in (Codex reference) conditional block – that way they will only show up on the page if the user is logged in

A code example is available in a related question:

Method 2

I would change upload dir for one outside the www folder. Then you “send” the file using a “proxy” page. The proxy page check is the user is logged then it send the file using header()/readfile().

Method 3

You may use hot-linking protection using your webserver of choice.

See this StackOverflow answer:
https://stackoverflow.com/questions/1775582/apache-hotlink-protection-for-download-folder.

This is using apache2 .htaccess

Basically, you are denying the download, if the user is non coming from a page of your blog!

Method 4

The registered user only plugin looks only to make sure that a visitor is logedin before viewing your page content. Access to your files via a browser is controled by the server.

You should try the WP plugin AskApache Password Protect – http://wordpress.org/extend/plugins/askapache-password-protect/

Of course this will only work if your WordPress blog is hosted on an Apache server.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x