I was working on a secure site with sensitive video material that we needed strict members access to. Even though many plugins can make sure your direct permalinks can only be seen by logged in members, direct links to files in your wp-content directory are still accessible to others. They can even be hotlinked from other sites.
One way around this is to move the wp-content directory outside the web visible portion of your directory on the server, but even so WordPress can always link to such files. A better way is to tell your server not to give access to certain files (say ending with mp4 or mp3) and only allow access from your own domain.
We can use Apache Mod Rewrite for this – it’s a complex language that you can utilise in your .htaccess file within the wp-content folder.
Let me show you how to keep prying eyes out of your content.
The Problem
Say you had a PDF file that you’d like visitors on your own site to download.
However, if someone were to copy this link and call it from a browser window directly, or if they were to post the link to you PDF on another website then the document shall not be accessible. By default it is. Let’ fix that.
The Solution
Upload a .htaccess file into your wp-content folder. Have a look if one exists already, then append this code to the end of the file. If you don’t have one, just create a new blank file and add this code to it:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourwebsite\.com/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx|mp4|mov) [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule .*\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx|mp4|mov)$ http://yourwebsite.com/ [NC]
This rather strange sounding code is neither Linux nor PHP nor MySQL – it’s Apache (that’s the service which usually takes care of serving up those websites from a server). These are instructions that will tell Apache to do the following – I’ll explain this line by line:
- here are some instructions I’d like you to use in this directory
- IF someone comes from anywhere other than yourwebsite.com
- AND they ask for a direct file that ends with any of the following (gif, png, jpg, etc)
- AND they are not logged into WordPress on this domain
- THEN direct every link to such files to http://yourwebsite.com
If these conditions are not met, then give out the file – everyone’s happy.
Why do I need this?
To prevent people hotlinking to your files. One aspect is security: say you have sensitive material that you only want your direct visitors to see. Or imagine you had a members area and give out a PDF that you’d like only logged in visitors to see without an encrypted link.
The same goes for image files or videos hosted on your site which you’d like to embed into your own pages but not allow embedding on external sites.
I had a guy once hotlink one of my images as his MySpace profile, the background graphic came from my server. If you’re on a plan with bandwidth limitations this can get you into trouble.
What else do I need?
Make sure you have an Apache web server running on your website, and that user overrides (i.e. .htaccess directives) are allowed.
When I wrote this article in 2012 this was a given, but since then the internet landscape has changed slightly. Nowadays, other web servers such as NGINX are commonplace, with which the above code will not work. Your web hosting company will be able to tell you more about your hosting environment.
Usage Examples
You can use this solution to conserve load and bandwidth on your server. For example, other users won’t be able to embed images hosted on your server in their websites (unless they upload them to their own), and sensitive files can only be shared on your own website.
However, this does not mean that sensitive files cannot be accessed at all; they are still available for download if visitors come via your website. Here’s an example of how to this solution works
- you have a sensitive file at http://you.com/file.pdf
- users coming from http://anywhere.com and click on that link will be redirected to your home page
- users currently surfing http://whatever.com can paste your link into their browser bar will be redirected to your home page
- users currently surfing your own website http://you.com can paste the link into their browser bar and will also be redirected to your home page, unless they are logged in to WordPress
- if users are logged in to WordPress, and are currently surfing your website, and would paste the link to the file into their browser bar, they will get access
Alternatives
I’ve received many comments on this article over the years, with many suggested use cases and questions. It’s important to understand that while the above solution is a quick fix for preventing direct access sensitive files in certain cases, it is NOT a replacement for a full membership website.
If you’re selling anything downloadable and would like to make sure only authorised users have access to the files you provide, I suggest a membership plugin like WP eMember by Tips and Tricks HQ.
Further Reading
These articles discuss the same subject:
- http://top-frog.com/2010/07/01/a-simple-way-to-limit-file-downloads-to-only-logged-in-users-in-wordpress
- http://wordpress.stackexchange.com/questions/35226/the-best-way-to-protect-uploaded-media-in-wordpress
- http://wordpress.org/support/topic/how-to-protect-media-library-uploads-folder-within-a-membership-site
I’ve been hunting for a way to stop comment spammers who are posting comments to WP sites directly bypassing WP login and comment controls. I’m not in favor of modifying core files because then you create a separate maintenance path and upgrades become difficult or impossible.
I’m not sure how to test this strategy out. Any thoughts?
I’d say try it out and see if it’s effective. Try to post as a non-logged in user too and see what happens (you’re most likely being redirected when you try to post, so not an ideal user experience).
The only option to cut down on comment spam is lock down comments by switching on the option to only let logged in users comment (under Settings – Discussion). In which case, you wont need to prevent access to the core files.
Alternatively you can switch off comments altogether and provide a different alternative for users to participate in a discussion.
Believe me I have all those options implemented and they’re still posting comments. They’re are able to bypass all WP core logic that checks for valid subscribers who are logged in. They’re posting comments on posts even after comments are closed. They’re ruthless, so, I’m looking for ways to harden the system to ensure that comments must be open (meaning ok to post comments) and that the user must be logged in, etc.
This has been a difficult problem to solve. Most solutions suggest deleting either or both wp-trackback.php and wp-comments-post.php. But that disables comments all together.
Other solutions suggest modifying some of the code in wp-comments-post.php by removing a couple of lines of code in the default case structure. Again modifying core files creates maintenance problems.
Sounds like you’ve got your hands full. There’s an option for “anyone to register” under Settings – General, is that option ticked? Because if it is. It’s feasible for hackers to simply register and then comment. I’ve had good results unchecking that option to cut down on the amount of rogue users on some installations that had this switched on.
Which anti-spam solution are your using? Perhaps it’s worth to switch to another.
I can think of one other option to allow comments yet keep spammers out: create a “members section” in. Which registered users have access to the comment feature. WP eMember is one I’ve used in the past. It can integrate with your current users but maintains its own database of access rights. This approach isn’t right for every website and adds an extra layer of complexity, but its another option.
This issue I’m having isn’t registered users spamming the site, it’s comment spammers bypassing all restrictions and deselected options. The comments are getting trapped and pending approval before posting, so they’re not slipping by unnoticed. So core WP code and plug-ins are working and trapping everything except for a few very sneaky comment spammers. If this works, then this is a very simple fix that is easy to implement without much fuss and blocks one more access point!