I was working on a secure site with sensitive video material that we needed strict members access to. Even though many plugins can make sure your direct permalinks can only be seen by logged in members, direct links to files in your wp-content directory are still accessible to others. They can even be hotlinked from other sites.
One way around this is to move the wp-content directory outside the web visible portion of your directory on the server, but even so WordPress can always link to such files. A better way is to tell your server not to give access to certain files (say ending with mp4 or mp3) and only allow such access from your own domain.
We can use Apache Mod Rewrite for this – it’s a complex language that you can utilise in your .htaccess file within the wp-content folder.
Let me show you how to keep prying eyes out of your content.
The Problem
Say you had a PDF file that you’d like visitors on your own site to download.
However, if someone were to copy this link and call it from a browser window directly, or if they were to post the direct link to this PDF on their website they will NOT be able to download the document.
The Solution
Upload a .htaccess file into your wp-content folder. Have a look if one exists already, then append this code to the end of the file. If you don’t have one, just create a new blank file and add this code to it:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourwebsite\.com/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx|mp4|mov) [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule .*\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx|mp4|mov)$ http://yourwebsite.com/ [NC]
This rather strange sounding code is neither Linux nor PHP nor MySQL – it’s Apache (that’s the service which usually takes care of serving up those websites from a server). These are instructions that will instruct Apache do the following – I’ll explain this line by line:
- here are some instructions I’d like you to use in this directory
- IF someone comes from anywhere other than yourwebsite.com
- AND they ask for a direct file that ends with any of the following (gif, png, jpg, etc)
- AND they are not logged into WordPress on this domain
- THEN direct every link to such files to http://yourwebsite.com
If these conditions are not met, then give out the file – everyone’s happy.
Why do I need this?
To prevent people hotlinking to your files. One aspect is security: say you have sensitive material that you want only your visitors to see. Or imagine you had a members area and give out a PDF that you’d like them to see without an encrypted link when only they’re logged in.
Same for image or videos hosted on your site, that you’d like to embed into your own pages alone and nowhere else. I had a guy once link one of my images as his background to his MySpace page. He had tons of hits, and every time someone visited his MySpace profile, the background graphic came from my server. If you’re on a plan with bandwidth limitations this can get you into trouble.
I want this functionality, but this all sounds Chinese. Can you help me?
Certainly! Book a half hour support slot here or over at WP Hosting and I’ll get this setup for you in no time.
Further Reading
These articles discuss the same subject:
- http://top-frog.com/2010/07/01/a-simple-way-to-limit-file-downloads-to-only-logged-in-users-in-wordpress
- http://wordpress.stackexchange.com/questions/35226/the-best-way-to-protect-uploaded-media-in-wordpress
- http://wordpress.org/support/topic/how-to-protect-media-library-uploads-folder-within-a-membership-site
