Support » Networking WordPress » Protect direct access to uploaded files

  • I am running a multisite with the latest WP3 and BuddyPress. I have it protected with Private BuddyPress and have disallowed robots to the site. Unfortunately, Google has picked up some of the files in my sub-site’s files folder. One can easily download these files with the full url known. I need to be able to prevent people from getting access to these files without being logged in.

    If they are logged in, I don’t care if they can download them; I just want to prevent non-members from getting access to the files. There is a great plugin called Private Files (seen here — that works wonderfully on non-multisite WP installations. Unfortunately, it fails on all multisite sub-sites.

    I believe this is due to the rewrite of the url from ‘/blogs.dir/2/files’ to ‘sub-site_name/files.’ This is more than I can handle without some expert help. Can someone out there help me out? Thanks in advance for any assistance.


Viewing 15 replies - 1 through 15 (of 15 total)
  • I’m not sure how it works with virtual (rewritten) directories, but one classic approach to trying to protect files from being downloaded by people that aren’t logged in is to use .htaccess to check for a specific cookie before serving the file.

    The .htaccess code would look something like:

    RewriteCond %{HTTP_COOKIE} !CookieName=
    RewriteRule ^document-directory.*$ /login-page [L,R=301]

    A little more info can be found at

    In order to signify that the access is forbidden, you might even want to change “R=301” to “R=403”, but I’ve never used that, so I don’t know exactly how it works.

    Also, in order for this to work properly, all of the files that you want forbidden will need to reside in a directory separate from the files that you want available to the public. You can’t selectively (not easily, at least) specify which files within a directory should be protected and which shouldn’t. Good luck.

    One can easily download these files with the full url known. I need to be able to prevent people from getting access to these files without being logged in.

    Funnily enough, we’re working on a buddypress plugins that does this. No ETA.

    Hey Curtis, thank you for the tip; I will try it out in a few hours and let you know how it works out. Thanks again.

    Andrea, I was hoping for a plugin from you guys on this one. I hope you all work it out soon as it would be a welcome for this and many projects. Thanks.


    Well, couldn’t get it to work. I couldn’t get the subsite’s files directory to follow the htaccess rules, so I had to utilize the root htaccess file. Here’s what I used in case anyone else would like to try:

    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_YOURUNIQUESTRING.*$ [NC]
    RewriteCond %{REQUEST_URI} !^/wp-login.php$
    RewriteCond %{REQUEST_URI} !^/wp-admin/css/*.css*$
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/YOURTHEME/style.css$
    RewriteRule .* YOURDOMAIN/wp-login.php [NC,L]

    It basically protects everything, so it’s not perfect, but if protecting your assets is important, then it works.


    Andrea, good luck on your plugin and let me know when it is live. It is very needed. Thanks.


    Andrea_r, do you have any news re that buddypress protection plugin?!?

    I too would love to know of any progress with the plugin.

    3.1 is almost ready to drop, and it has changes in the super/network admin we have to account for


    Buddypress is also undergoing significant changes to some structure & getting ready for 3.1,


    Just a wee bit longer. 🙂 Then we’ll have it out after 3.1 & the next BP as best we can. Right now we’re elbow-deep getting everything else we have ready for 3.1.

    Thanks for the update Andrea. We are all looking forward to your plugin!


    If it helps, i’ve been using it at wpebooks. 🙂

    What are you using at wpebooks? wp-content/uploads/… seems to be accessible. Pls help…

    I’m using the plugin I mentioned above, the one I am working on and is not yet released.

    yes, the uploads folder is accessible, but that doesn’t mean I’m putting file downloads there. 😉

    Thanks a lot, Andrea!
    EDITED Feb 8, 2011 by Boone Gorges to include the code for creating directories when none exist!

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘Protect direct access to uploaded files’ is closed to new replies.