[resolved] How to protect media directory or make it private (4 posts)

  1. archer09
    Posted 3 years ago #

    Hi everyone,

    WP uploads images/media files onto a directory that is accessible to the public (eg. mysite.com/wp-content/uploads). I'm trying to keep these media directories private so that it's only accessible by the admin. Otherwise, anyone can just go straight to the directory and download everything if they so desire.

    What I need is what other sites have when I try to access their directories (eg. "Forbidden. You don't have permission to access /samplepath/ on this server." Is there a way to do this? Seems like a fairly basic, commonly-needed function but I can't seem to find an answer to it.

    FYI, I've already read through this:
    but it doesn't address security for wp-content.

    This thread refers to the same problem, but there is no resultion yet:

    Can anyone help? Thanks!

  2. kmessinger
    Forum Moderator
    Posted 3 years ago #

    WP uploads images/media files onto a directory that is accessible to the public

    No, wp does not do this. That directory does not have an index file and is even though the permissions are 755 no one should be able to see it. If so something is not right on the server.

  3. archer09
    Posted 3 years ago #

    Thanks for that. Once I disabled indexing the problem was solved.

  4. Shonu
    Posted 2 years ago #

    Indexing was the problem? That is just for browsing an folder. If you know the deep link to any file there, anyone can access it freely until today. many plugins fail to prevent guests to leech files there.
    As there is no simple plugin out there that I am aware of that handles this properly, I may need to do my own:
    1. Seal of for web access thru file access limitations (chmod), so that web service cannot read
    2. make .htaccess filter for folder to redirect any access to a new file handler php
    3. that handler checks for configured authorisation level (role for simplicity, can be done more complex later)
    4. When user is authenticated, has the role required, then STREAM the file with attachment disposition (label for filename taken from media title)
    is that so hard to handle for WP?
    Many do not realise all media are public til today! Even member access or advanced Access Manager can protect as far as I know.

Topic Closed

This topic has been closed to new replies.

About this Topic