Support » Plugin: Membership 2 » Media Protection Instability

  • Installed Membership 2 Free last December and used it to protect a PDF file so that only members could download it. Worked like a charm for a long time. Then suddenly it stopped working and only showed the ‘Forbidden’ error for logged-in users. After lots of somewhat random diddling around without success, finally arrived at this set of conditions for testing: Cacheing OFF at which handles my DNS and also OFF through my hosting provider’s Cpanel; no cacheing WordPress plugins are being used. Used two test machines, one running Windows 7 and the other Windows 10 (no differences in any responses between them were ever noticed); used Chrome’s Incognito Window feature to test the pasted-in link to the PDF as a non-logged-in user. All WordPress plugins are updated, my two test computers scanned for viruses using AVG Free and found clean. Performed a global reset to default of all the site’s file permissions twice through my hosting provider’s Cpanel, with no noticeable effects, the Linux permission on the PDF is -rw-r–r– and the permission on all containing subdirectories is the same: drwxr-r-xr-x. These are the contents of wp-content/uploads/.htaccess:

    ## Membership 2 - Media Protection ##
    Options -Indexes
    Deny from all
    <FilesMatch '\.(jpg|jpeg|png|gif|mp3)$'>
    Order Allow,Deny
    Allow from all
    ## Membership 2 - End ##
    The 'Link to the page you need help with' is to the relevant PDF file which should of course always show the Forbidden error for non-logged-in users.  Feel free to create an account on the homepage of, validate your email, and see if you are then allowed to download the PDF titled 'Antinuclear Nutrition' from the Account page after you login.  Turning OFF the Media Protection slider switch found on the upper right corner of the Media Protection popup on the Membership Add-ons page makes the PDF instantly accessible to both logged-in and non-logged-in users, pretty well identifying the culprit as Membership 2.  Changing to any of the three Protection Methods on the popup where that switch is also found does absolutely nothing, the default link is always produced (I am assuming that function was once called “Mask download URL” as described by user Nik (@nikbond) who reported similar but not identical problems with Media Protection a year ago, as I do not find the words “Mask download URL” anywhere in the current version of Membership 2).  The strangest behavior of all was noticed at one point when the PDF file briefly became accessible to non-logged-in users but was still Forbidden for logged-in users!  It didn't stay that way for very long though, and nothing was changed on the site, my browser, or on Cloudflare other than refreshing the page for the logged-in user and the non-logged-in user in an Incognito window.  After two or three refreshes of each, the original bad behavior of not working for either returned.  
    Some potentially relevant data:
    System Overview
    WP Version: 5.1.1
    PHP Version: 7.3.0
    Database Version: 10.2.17-MariaDB
    Client IP Address: ***redacted***
    Server IP Address: ***redacted***
    Server Load: 6.64, 7.45, 7.53
    Server Load Average: 7.207
    PHP Memory Usage: 8% (42.47M of 512M)
    WordPress Info
    WP Version: 5.1.1
    Active Theme: Twenty Sixteen, Version 1.5
    WP Memory Limit: 40 MB
    WP Remote Post: Enabled
    WP Debug Mode: Disabled
    WP Debug Log: Disabled
    WP Debug Display: Enabled
    WP Debug Script: Disabled
    Query Logging: Enabled
    Disallow File Edit: Disabled
    Allow Core Auto Update: Disabled
    WP DB Hostname: localhost
    WP DB Name: ***redacted***
    Active Plugins: 16
    WP Language: English / en_US
    Advanced Caching: Disabled
    External Object Cache: Disabled
    WordPress Time: 2019-04-12 23:20:08
    Update Method: Direct access allowed
    Client Info
    Platform: Windows 7 : 64 bit
    Browser: Chrome
    IP Address: ***redacted***
    User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
    Hostname: ***redacted***
    Client Port: 55063
    Server Info
    OS/Server: Linux ***redacted*** 3.10.0-714.10.2.lve1.5.19.3.el7.x86_64 #1 SMP Tue Aug 7 21:33:29 EDT 2018 x86_64
    Server Software: Apache
    Server Version: 64Bit
    Server Address:
    Server Port: 80
    Document Root: /home/***redacted***/public_html
    Server Name:
    Server Load: 6.64, 7.45, 7.53
    Load Average: 7.207
    Server Signature: Disabled
    Apache Modules: mod_rewrite, mod_mime, mod_headers, mod_expires, mod_auth_basic
    Server Protocol: HTTP/1.1
    HTTP Connection: Keep-Alive
    Server Gateway: n/a
    Server Time: 2019-04-13 03:20:08
    Database Info
    Database: MariaDB Server
    Version: 10.2.17-MariaDB
    Uptime: 67 days, 13 hours, 0 minutes, 20 seconds
    Charset: utf8
    PHP Info
    PHP Version: 7.3.0
    Zend Engine: 3.3.0-dev
    PHP Memory Limit (runtime / server): 512M / 512M
    PHP Memory Usage: 8% (42.8M of 512M)
    PHP Peak Memory Usage: 44.5M
    PHP Post Max Size: 256M
    PHP Upload Max File Size: 256M
    PHP Execution Time Limit: 240s
    PHP Input Time Limit: 240s
    PHP Max Input Vars: 1000
    PHP Include Path: /home/***redacted***/public_html/wp-content/plugins/backwpup/vendor/pear/archive_tar:/home/***redacted***/public_html/wp-content/plugins/backwpup/vendor/pear/console_getopt:/home/***redacted***/public_html/wp-content/plugins/backwpup/vendor/pear/http_request2:/home/***redacted***/public_html/wp-content/plugins/backwpup/vendor/pear/mail_mime:/home/***redacted***/public_html/wp-content/plugins/backwpup/vendor/pear/mail_mime-decode:/home/***redacted***/public_html/wp-content/plugins/backwpup/vendor/pear/net_url2:/home/***redacted***/public_html/wp-content/plugins/backwpup/vendor/pear/pear-core-minimal/src:/home/***redacted***/public_html/wp-content/plugins/backwpup/vendor/pear/pear_exception:.:/opt/alt/php73/usr/share/pear
    PHP Allow URL File Open: Enabled
    PHP File Uploads: Enabled
    Session: Enabled
    Session Name: PHPSESSID
    Cookie Path: /
    Save Path: /opt/alt/php73/var/lib/php/session
    Use Cookies: Enabled
    Use Only Cookies: Enabled
    Loaded Extensions: Core, date, libxml, openssl, pcre, sqlite3, zlib, bz2, calendar, ctype, curl, hash, filter, ftp, gettext, gmp, SPL, iconv, pcntl, readline, Reflection, session, standard, shmop, SimpleXML, mbstring, tokenizer, xml, litespeed, PDO, pdo_mysql, fileinfo, wddx, sysvsem, bcmath, Phar, xmlwriter, redis, sockets, json, igbinary, exif, sysvshm, sysvmsg, mysqli, dom, mysqlnd, pdo_sqlite, xmlreader, posix, xsl
    fsockopen: Enabled
    cURL: Enabled
    SOAP Client: Disabled
    Short Open Tag: Enabled
    Security Info
    Register Globals: Disabled
    Safe Mode: Disabled
    Display Errors: Disabled
    allow_url_include: Disabled
    allow_url_fopen: Enabled
    Magic Quotes: Disabled
    Server Signature: Disabled
    WP Unique Keys: Enabled
    mod_security: Disabled
    open_basedir: Disabled
    upload_tmp_dir: /tmp
    expose_php: Enabled
    • This topic was modified 7 months, 1 week ago by Kanonymous. Reason: added 'Free' for clarity
    • This topic was modified 7 months, 1 week ago by Jan Dembowski.

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support Predrag Dubajic WPMU DEV Support


    Hi @simanonok,

    Hope you’re doing well.

    Can you tell me where that .htaccess rule commented with ## Membership 2 – Media Protection ## comes from?

    Membership 2 doesn’t use .htaccess rules to protect media files and it doesn’t protect direct URL, it will mask your media file URL and protect then that masked URL, the file will still be available via direct link.

    The error you are seeing is coming from the .htaccess rule that you are using:

    ## Membership 2 - Media Protection ##
    Options -Indexes
    Deny from all
    <FilesMatch '\.(jpg|jpeg|png|gif|mp3)$'>
    Order Allow,Deny
    Allow from all
    ## Membership 2 - End ##

    But that code shouldn’t be added by Membership 2 plugin.




    Hi Predrag,

    Thanks for looking at this, but perhaps you are confusing Membership 2 with another plugin?

    The page at (Advanced Media Protection) says this, more or less (wish I could paste a screenshot):

    Protect uploaded files
    Prevent direct access to your uploaded media files

    Only allow direct access to the following file extensions.

    We will place .htaccess file into the /wp-content/uploads/ folder to prevent direct access to files other than those defined. Each change in the files needs the htaccess file updated

    … Then there’s an ‘Update htaccess’ button below.

    You can delete or rename the .htaccess file in that location and pressing the button on this page will recreate it.

    Plugin Support Predrag Dubajic WPMU DEV Support


    Hi @simanonok,

    You’re right, Advanced Media Protection completely slipped my mind, sorry about that, looks like I need more coffee in me 🙂

    So in Advanced Media Protection, you can set the extensions that you want to be accessible.
    And from what I see in your .htaccess rules the PDF is not on the list.

    Go to Membership 2 > Settings > Advanced Media Protection and in your allowed file list add PDF so it looks like this:

    Or you can update your wp-content/uploads/.htaccess to look like this:

    ## Membership 2 - Media Protection ##
    Options -Indexes
    Deny from all
    <FilesMatch '\.(jpg|jpeg|png|gif|mp3|pdf)$'>
    Order Allow,Deny
    Allow from all
    ## Membership 2 - End ##

    Once the PDF is in the allowed list everything should be fine.




    Thanks for the idea, but it doesn’t work. What happens when I add ‘pdf’ to the list under Advanced Media Protection, the PDF file then becomes available to anyone with the URL, exactly the result NOT desired.

    Close inspection on that settings page shows that it says “Only allow direct access to the following file extensions”, just above the form box where you construct the list. In other words, anything NOT on that list is supposed to be protected. Sorta counterintuitive way to do it but that’s the way it is.

    Any other ideas?

    Plugin Support Kasia – WPMU DEV Support


    Hello @simanonok ,

    If you want to allow to download these files for your members you need to use a different method.
    Advanced protection disallows access when the full path to file is used. And with PDF this is the case when you have to download it.
    You need to use “Protect Individual Media files ” instead of the “Advanced Media Protection “.

    kind regards,

    Thank you for your suggestions, but nothing works anymore to enable content protection. Not Advanced Media Files, not Protect Individual Media Files, not even URL protection. Not only that, but even when all protection has been shut off it is necessary to go into /public_html/wp-content/uploads/ and delete or rename the .htaccess file in order to even gain access to the ‘unprotected’ PDF file, Membership 2 does not even take care of that anymore. I have deactivated every plugin that’s even remotely unnecessary and the only plugin deactivation that makes the PDF file accessible again is the Membership 2 plugin, AND I still have to delete or rename .htaccess in /public_html/wp-content/uploads/.

    Strange how content protection used to work fine but nothing at all will make it work now.

    I am going to have to either A) use another membership plugin with content protection or B) try to use Membership 2 with a separate plugin that only does content protection. Can you recommend what you think might be the best options for BOTH A) and B)?

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Media Protection Instability’ is closed to new replies.