password protect images

  • jaip

    (@jaip)


    11 years, 11 months ago

    I just developed an easy way to protect images on a simple password protected page in wordpress. (a page which uses the inbuilt wordpress password protected page)And you would like the image to be viewed only by the holder of the password.

    3 steps to do it:
    1) Put a htaccess file in the folder which you want to protect. The folder which holds your image. Text:

    deny from all

    2) In wp-content/wp-includes/post-template.php find the function post_password_required –
    at the end of the function just before return false add this piece of code:

    $ok_ip=$_SERVER[‘REMOTE_ADDR’];
    $allow_ip=file_get_contents(WP_CONTENT_DIR.’/uploads/secretfolder/.htaccess’);
    $allow_ip.=”\n”.’allow from ‘.$ok_ip;
    file_put_contents(WP_CONTENT_DIR.’/uploads/secretfolder/.htaccess’,$allow_ip);
    return false;

    now access is allowed from the IP which has the password. In case of shared IP this might be a problem for you so:

    3) Use javascript/jquery $(window).load and make an ajaxcall to a php program which sets

    file_put_contents(WP_CONTENT_DIR.’/uploads/secretfolder/.htaccess’,’deny from all’)

    this happens after all pictures are loaded and will do for most situations
    in case you have much trafic you might just remove actual IP from allowed ips in a similar manner.

    It also goes well with a plugin like ft protect children pages (not mine)
    Try also my new plugin jaip page style

Viewing 5 replies - 1 through 5 (of 5 total)
  • Rev. Voodoo

    (@rvoodoo)

    11 years, 11 months ago

    In wp-content/wp-includes/post-template.php find the function post_password_required

    We highly recommend you do NOT do this, or ever edit any core files in any manner.

    Every time WP is upgraded, the changes will be lost. Also, editing core files can have any variety of unforeseen consequences, and would make it nearly impossible to troubleshoot…

    Thread Starter jaip

    (@jaip)

    11 years, 11 months ago

    If it is possible to redefine this function in a childtheme then this of course is the way. It is just not in the plugable functions so I have not tried it yet but only developed the code and praxis which has the flaws of editing core code where you of course have to consider where the function might be used apart from the actual situation. In the concrete example nothing unforeseen happens unless you mess it all up and delete something you not wanted or something like that. I would expect some acknowledgement apart from the worries because it works and is easy and several requests for a solution have been made. It could easily be made a part of the corecode where the path to protected folder should be provided along with a password when creating protected pages – why not?

    Thread Starter jaip

    (@jaip)

    11 years, 11 months ago

    In a plugin the code below seems to work and so avoid changing core code. In case the folder ‘secret’ not exists php does not create it, so there are a few microseconds of delay on unprotected pages and nothing else. So far as I can see from this angle it is a must to disallow ip on $(window).load else any page call will allow the images to be seen (if you know or guess the url)

    add_action(‘wp_head’,’jaip_protect_images’);

    function jaip_protect_images(){

    if(post_password_required()==false)){
    $ok_ip=$_SERVER[‘REMOTE_ADDR’];
    $allow_ip=file_get_contents(WP_CONTENT_DIR.’/uploads/secret/.htaccess’);
    $allow_ip.=”\n”.’allow from ‘.$ok_ip;
    file_put_contents(WP_CONTENT_DIR.’/uploads/secret/.htaccess’,$allow_ip);
    }
    }

    using this clause will avoid setting the ok_ip on unprotected pages as far as I can see
    $post = get_post();
    if(post_password_required()==false&&!empty($post->post_password)){
    $ok_ip=$_SERVER[‘REMOTE_ADDR’];
    $allow_ip=file_get_contents(WP_CONTENT_DIR.’/uploads/secret/.htaccess’);
    $allow_ip.=”\n”.’allow from ‘.$ok_ip;
    file_put_contents(WP_CONTENT_DIR.’/uploads/secret/.htaccess’,$allow_ip);
    }
    }

    Thread Starter jaip

    (@jaip)

    11 years, 11 months ago

    Thread Starter jaip

    (@jaip)

    11 years, 11 months ago

    The end is that checking for empty($post->password) does work for single pages but not for the childpages in for instance ft protect children pages where the first topmost solution does work with childpages.

    The plugin solution without checking for empty($post->password) does also work with childpages, but have a security breach if you do not disallow when window has loaded.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘password protect images’ is closed to new replies.