Support » Plugins » how to protect media library /uploads folder within a membership site

  • I’m looking to build a WordPress-Based Membership Site using the WishListProducts plugin.

    But I see a big potential problem with securing the Media Library /uploads files.

    In my Membership Site, I’ll have MP3, WMV, DOC, XLS and PDF
    downloads. I know that WishListProducts’ plugin can protect
    the WordPress posts and pages that would introduce/feature
    these downloads.

    But what about the underlying embedded files themselves?

    What can I do to protect the WordPress Media Library /uploads folder, to prevent someone from acting like a
    kid in a candy store (ripping off EVERYTHING in sight, without paying for membership)?

    In other words, how do the downloadable files themselves get
    protected in that folder?

    Are you aware of any plugins that can help secure the contents /wp-content/uploads folder to only registered/approved users?

    Thank you

Viewing 8 replies - 1 through 8 (of 8 total)
  • Just wanted to follow-up to see if anyone had any ideas (or leads of ideas) on how to best address this.

    Thank you

    Looking for the exact same thing. Amember does this, but I’m having numerous problems with it and want to switch to something else. WishListProducts looks great, but am concerned about protecting media files, which is really the basis of my membership site, not the posts/pages in WordPress.

    This would be a nice feature. I am also attempting to solve this problem. Have there been any updates? Has anybody been able to do this?

    Agreed. Looks like we need a plugin that

    1. disables direct access to files in /wp-content/uploads/
      • serves up this content after first applying the appropriate level of authentication (e.g. is this user a subscriber?)

    Member Access looks promising but it doesn’t have this functionality (yet?):
    http://www.chrisabernethy.com/wordpress-plugins/member-access/

    Not sure if this helps, but I was having a similar issue and in lieu of finding a plugin that solved this problem, I simply used the Force User Login plugin and then created a .htaccess file in my ‘uploads’ directory to prevent direct hot-linking to any file within that directory and its subdirectories not coming directly from my ‘Members Only’ site. This way, only logged in users can access content within the uploads directory, and only when directly linked from my site. Otherwise direct linking re-directs the user to another site. Does this make sense?

    Here’s an example .htaccess file you’d want to create and place in your ‘wp-content/uploads’ directory:

    IndexIgnore *
    Options +FollowSymlinks
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?myprotectedmemberssite\.com/ [NC]
    RewriteCond %{REQUEST_URI} !hotlink\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx) [NC]
    RewriteRule .*\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx)$ http://yahoo.com/ [NC]

    In the above example the first line disables file directory listings (so no one can view the files in the ‘uploads’ or any of its subdirectories. The line with HTTP_REFERER makes sure linking to a particular file is coming from my site. The gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx) is a list of filetypes I want to prevent from being directly linked to (unless they are clicking from my site).

    Sorry this doesn’t use a plugin to solve this (maybe I should write one?), but this seems to do the trick. Hope it helps.

    In the above example the first line disables file directory listings (so no one can view the files in the ‘uploads’ or any of its subdirectories. The line with HTTP_REFERER makes sure linking to a particular file is coming from my site. The gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx) is a list of filetypes I want to prevent from being directly linked to (unless they are clicking from my site).

    Sorry this doesn’t use a plugin to solve this (maybe I should write one?), but this seems to do the trick. Hope it helps.

    The problem is people download MP3s how can this solved. Today i realised that google actually indexed an MP3 and i managed to download it using Firefox. What do i add on the .htaccess to stop search engines from going in there. How can i hide the files?

    Please help

    wwhitehead: I think you’re on the right track. Can you get in touch with me regarding this quick-patch? I would be keen to get your assistance quickly.
    More than happy to compensate you for any time I take.
    Either post back here, or tweet me at: @kjakich
    Thanks
    K

    wwhitehead: This solution works well. However i have noticed it prevents the user to ‘Save Target as’ in IE. It redirects to download a .html file…

    Have you come across this? Any ideas as to why this might be happening?

    Cheers,
    Jarome.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘how to protect media library /uploads folder within a membership site’ is closed to new replies.