Support » Plugins » Hacks » Lock down media files

  • Resolved Patrick Johanneson



    I’ve got a “closed” site set up in a Multisite install, where users have to be at least Subscribers in order to see content. What I’ve found is that any content posted into the Media Library is available if they have the URL — so, for instance, can be downloaded by someone that’s not signed in. I’d like to prevent this.

    I’d like to be able to write a filter, something along the lines of:

    add_filter( '???', 'lock_media' );
    function lock_media( $media ) {
        if( ! current_user_can( 'read' ) ) {
            wp_die( 'Nice try!' );
        return $media;

    Is there a way to filter the content returned by the functions that handle handing files to the user? I took a look in wp-includes/ms-files.php and didn’t see any action or filter hooks, but maybe I’m just missing it.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator bcworkz


    The thing is, if someone has the direct url to a file, they are not interacting with WP or even PHP, just the server itself. A filter will not help. So you need to lock down the media folder so the public does not have access to it, but server apps still do, such as WP.

    Then, the only way to access the files is by using a server app or WP. Since using WP is not possible in your case unless the user is logged in, this should suffice.

    I’m no expert in this sort of thing, so there may be some nuance I’m missing, but I’m confident the general intent of my statements are correct. With that disclaimer, try setting the folder and file permissions to 600 and see how that works. If all else fails, you can also block public access to files via .htaccess files.

    I hoped I’d be able to affect it somehow since the .htaccess file points requests to ‘/files/.*’ to the ms-files.php file (I think; right now I don’t have access to the actual .htaccess file since it’s behind a firewall). But I didn’t see any action or filter hooks in the ms-files.php file; I’d hoped I’d just missed one.

    I will certainly try setting the files directories to 600 and see if that works.


    Moderator bcworkz


    I will certainly try setting the files directories to 600 and see if that works.

    No, that won’t work at all. My head was completely in the wrong place. (It was really warm and dark in there) My apologies. The only realistic solution lies in .htaccess. Checking for a cookie is probably the best approach, as in vjpo’s first link. Using the referer field as suggested in the second link is a little too easy to circumvent IMO.

    Even the cookie can be circumvented since .htaccess cannot check the fingerprint that makes it secure, but at least circumvention is obscure enough to make it unlikely to be attempted by nearly all users.

    OK, I got it working (at least as far as my userbase goes):

    I added this to the .htaccess file:

    # BEGIN file lockdowns
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
    RewriteRule ^sitename/files/.*\.(pdf|docx?)$ /sitename/not-allowed [R=302,L]
    # END file lockdowns

    (as seen in the posting from vjpo above)

    — and then made a page at /sitename/not-allowed that asks the user to please log in.

    This won’t block people from going after the /wp-content/blogs.dir/[blog_id]/[filename].pdf file, but it’s sufficient to keep accidental viewing of private files locked down.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Lock down media files’ is closed to new replies.