The thing is, if someone has the direct url to a file, they are not interacting with WP or even PHP, just the server itself. A filter will not help. So you need to lock down the media folder so the public does not have access to it, but server apps still do, such as WP.
Then, the only way to access the files is by using a server app or WP. Since using WP is not possible in your case unless the user is logged in, this should suffice.
I’m no expert in this sort of thing, so there may be some nuance I’m missing, but I’m confident the general intent of my statements are correct. With that disclaimer, try setting the folder and file permissions to 600 and see how that works. If all else fails, you can also block public access to files via .htaccess files.
I hoped I’d be able to affect it somehow since the .htaccess file points requests to ‘/files/.*’ to the ms-files.php file (I think; right now I don’t have access to the actual .htaccess file since it’s behind a firewall). But I didn’t see any action or filter hooks in the ms-files.php file; I’d hoped I’d just missed one.
I will certainly try setting the files directories to 600 and see if that works.
Thanks!
I will certainly try setting the files directories to 600 and see if that works.
No, that won’t work at all. My head was completely in the wrong place. (It was really warm and dark in there) My apologies. The only realistic solution lies in .htaccess. Checking for a cookie is probably the best approach, as in vjpo’s first link. Using the referer field as suggested in the second link is a little too easy to circumvent IMO.
Even the cookie can be circumvented since .htaccess cannot check the fingerprint that makes it secure, but at least circumvention is obscure enough to make it unlikely to be attempted by nearly all users.
OK, I got it working (at least as far as my userbase goes):
I added this to the .htaccess file:
# BEGIN file lockdowns
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule ^sitename/files/.*\.(pdf|docx?)$ /sitename/not-allowed [R=302,L]
# END file lockdowns
(as seen in the top-frog.com posting from vjpo above)
— and then made a page at /sitename/not-allowed that asks the user to please log in.
This won’t block people from going after the /wp-content/blogs.dir/[blog_id]/[filename].pdf file, but it’s sufficient to keep accidental viewing of private files locked down.