Support » Networking WordPress » Prevent direct access to a single blogs uploads

  • Resolved OleVik



    I am aware of how to make content private (using user permissions to prevent access to content within WP), but how can I prevent direct access to the uploads of one of the various sites within my multisite network?

    Example: A file called abc.jpg located at, which is actually located within /wp-content/blogs.dir/6/files/2012/01/abc.jpg: The file should only be available when called within a script (HTML) on the local domain (here:, and not be accessible through direct access (or hotlinking).

    I tried accomplishing it with editing the .htaccess file, which looks like this (excerpt):

    # uploaded files
    RewriteRule ^([_0-9a-zA-Z-]+/)?(.+)$ - [NC,L]
    RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]

    The pattern (^([_0-9a-zA-Z-]+/)?(.+)$) does match the file ( according to RegExr, but does not prevent access to the uploads from this site.

    How can I achieve content protection on a single site within the network?

Viewing 13 replies - 1 through 13 (of 13 total)
  • Moderator Ipstenu (Mika Epstein)


    ๐Ÿณ๏ธโ€๐ŸŒˆ Plugin Review Team Rep

    Eeeeeeh. (That’s the sound I make when the answer isn’t good)

    To quote something I’m in the progress of writing:

    While moving the location of your uploads folders to protect uploads may seem like a good idea, itโ€™s not actually protecting you as much as youโ€™d think. Also remember that all anyone has to do is go to your site to find your files. The standard media upload folder is, basically, not worth โ€˜protectingโ€™ past the hotlink protection mentioned above.

    The problem with the usual methods of getting around this (like uploading files via FTP to a folder outside of the public_html folder) is difficult, since your users donโ€™t have access to FTP. No matter what, this is something you will have to apply for your users
    A traditional approach is to check if the cookies exist for your site, and, if not, returns the login page. Of course, cookies can be faked, which is why there are plugins that can restrict downloads to members:

    The real tl;dr of the matter is to not host those private media files on your server. Sites like and exist for a reason. They can protect your special downloadables much better than you can by simply not having them installed on your server. Of course those things cost money, so if youโ€™re determined to self-host, youโ€™d going to be fighting download theft forever.

    A fair answer, which does in fact explain most of the reasoning behind why it is a hard nut to crack. My thought is, however, as follows: If users that do not have specific privileges within WP cannot see the directory listing, cannot access file by direct URL and also cannot hotlink files; the files are indeed private to the extent they need to be.

    The only way they would get re-distributed would be if someone gained FTP-access or the users that are able to see them within WP do so.

    I looked at those plugins, as well as some other membership ones, but they all seem rather “heavy” to just disable public access to a folder (which is rather easy to accomplish with a single-site blog, but becomes a different beast when I only want to block one blog in a network).

    I naturally assumed that someone had done this before, but I can find no viable references to doing it within multisite, nor have I been able to figure out why my current setup fails (the RewriteRule seems valid, but crashes somehow with the one directing to ms-files.php).

    As I see it, I have to options:
    A) Figure out how to make queries to not be handled by the ms-files.php rewrite.
    B) Force user privileges checks within ms-files.php, which would add extra load on all sites in the network.

    Any opinion on best route of action?

    Moderator Ipstenu (Mika Epstein)


    ๐Ÿณ๏ธโ€๐ŸŒˆ Plugin Review Team Rep

    People have done it before, but every solution has been heavily site-specific, which doesn’t engender itself to what you need.

    If users that do not have specific privileges within WP cannot see the directory listing, cannot access file by direct URL and also cannot hotlink files; the files are indeed private to the extent they need to be.

    Well, the directory listing is easy. Add this to your .htaccess (up at the tippy top): Options -Indexes

    Hotlinking, also easy:

    Cannot access file by direct URL… That’s the problem.

    I mean, look. WORDPRESS has to do that, right? The only solution for that is to put your media outside of the public_html folder. That’s how the big boys do it.

    Pure Speculation Follows: For WP we’d need a custom ms-files.php to look in /home/user/wp-uploads/#/files instead of /home/user/public_html/wp-content/blogs.dir/#/files Then you change the settings for all your sites to point there for uploads, but keep using the /files/ URL. Change the .htaccess to use your ms-files and off you go.

    No idea of that’d work. I know that other apps can do it (Gallery does, IIRC) but I suspect there’s a lot more to it.

    I use personally, and the media I want to be ‘hidden’ I upload with that. The rest I don’t.

    Yes, directory-listing and hotlinking proved easy indeed. As I see it, the problem with placing files outside of their regular location within blogs.dig/#/files/ is that it would have to be done for all the sites. And this of itself is no less work than attempting to stop behavior on a specific site.

    My original approach might actually prove easiest: Turn of directory listing for all domains, stop hotlinking for all domains, use a RewriteRule that overrides the default behavior of WP and instead returns a 404 error (or redirects) when attempting to access files on that specific domain.

    So, like the original example, I need to figure out how to make a RewriteRule or RewriteCond that makes the server ignore the default:
    RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]
    and instead use:
    RewriteRule ^([_0-9a-zA-Z-]+/)?(.+)$ - [L]
    If I am not mistaken, this would work so that any request to the server for a file at would be met with a 404, while any other domain would go to ms-files.php.

    I’ll have a look at Download Monitor to see if I can’t find some valid mod_rewrite tips.

    Moderator Ipstenu (Mika Epstein)


    ๐Ÿณ๏ธโ€๐ŸŒˆ Plugin Review Team Rep

    Doing an .htaccess for one domain only is this:

    RewriteCond %{HTTP_HOST} ^somedomain\.com
    RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) - [L]


    RewriteCond %{HTTP_HOST} ^somedomain\.com
    RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) [L,R=301]

    If you want to redirect.

    (S’how I do it for my mapped domains all the time ๐Ÿ˜‰ )

    Thanks, that worked excellently! It might not be entirely dynamic (adding to .htaccess manually versus adding it as a mod_rewrite_rules filter), but then again I am not in the need of the solution as a plugin.

    I might have been a bit quick to conclude… By this method, direct access is in fact disallowed, but how do I allow the uploads displayed on the server (IE. on a page only visible to me)?

    Moderator Ipstenu (Mika Epstein)


    ๐Ÿณ๏ธโ€๐ŸŒˆ Plugin Review Team Rep

    I take it embedding in a post doesn’t work?

    My usual tweak would be RewriteCond %{HTTP_REFERER} !^somedomain\.com (which is ‘if the req didn’t come from ME…) but I’m not totally sure how to combine that with the HTTP_HOST check.

    So it’d be …

    ‘IF HTTP_REFERER is NOT somedomain
    AND HTTP_HOST IS somedomain
    THEN show no image.’

    I tried:

    RewriteCond %{HTTP_REFERER} !^somedomain\.com
    RewriteCond %{HTTP_HOST} ^somedomain\.com
    RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) [L,R=301]
    RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]

    But didn’t work. According to RewriteCond – when should I use [OR]? RewriteConds “default behaviour is ‘AND’ — All of the RewriteConds have to be true in order to trigger the rule.”

    OleVik and Ipstenu, thank you for this discussion. I am trying to do exactly the same thing as you OleVik, but I’m banging my head against the wall trying to prevent the direct access of a file. I’m trying to build a “member’s only” area for a client where they offer their dealers highly sensitive PDFs.

    My latest attempt has been with the WordPress Download Monitor plugin mentioned here, and at first I thought it took care of preventing direct access to the file, but have know learnt it’s still possible. All it does it mask the url. Still going to use it though because it’s perfect for what I’m doing otherwise.

    Anyways, I tried some of the .htaccess rules but they didn’t seem to have any effect for me (I replaced the somedomain\.com of course). I also don’t have the ability to move my files outside of the httpdocs directory as WPEngine doesn’t allow this by the look of it.

    OleVik – Have you come across any more ideas on how to accomplish this since 2 weeks ago? Have you got this all sorted with those .htaccess rules? I must be doing something horribly wrong…

    Moderator Ipstenu (Mika Epstein)


    ๐Ÿณ๏ธโ€๐ŸŒˆ Plugin Review Team Rep

    The whole tl;dr of this is “If you put it on the internet, people WILL get to it.”

    Using WP to ‘protect’ any file is the wrong tool for the job. I love it, but unless you’re uploading files outside your /html/ folder, thery’re gonna get found.

    Ipstenu: You note about Host may help me. Not to block all but just like Codex Hardening WordPress.

    I am trying to solve problem noted in
    I think htaccess not working because different Hosts maybe?

    Path for long way /wp-content/blogs.dir/2/files different for htaccess than path for

    Can I put something in top htaccess for the Host2? Or this is just something not to try do with MU?

    Moderator Ipstenu (Mika Epstein)


    ๐Ÿณ๏ธโ€๐ŸŒˆ Plugin Review Team Rep

    You should make your own topic for this really (both posts you’re attempting to hijack are marked resolved, that’s a BIG hint to make a new one ๐Ÿ˜‰ )

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Prevent direct access to a single blogs uploads’ is closed to new replies.