2

For my Wordpress site, I currently force all users to log in to view any page or post. For example, anyone going to www.mywebsite.com or www.mywebsite.com/a-wordpress-page/ will have to sign in in order to view it.

However, anyone can currently forcefully browse to any file uploaded in the Media Library without needing to log in. For example, anyone can go to www.mywebsite.com/wp-content/uploads/2013/10/myfile.jpg without needing to log in. I want to redirect them to the login screen if possible.

Is it possible to protect this URL? What is the best solution for this? Thanks in advance.

Some things I've tried but they didn't really work...

Community
  • 1
  • 1
Chun
  • 1,968
  • 3
  • 17
  • 18

1 Answers1

0

Include a .htaccess file in /wp-content/uploads that contains these conditions:

 RewriteCond %{REQUEST_FILENAME} ^.*(mp3|m4a|jpeg|jpg|gif|png|bmp|pdf|doc|docx|ppt|pptx|)$
 RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
 RewriteRule . - [R=403,L]

This checks if the user is logged in or not. If not, it produces a 403 error. Can also be rewritten to direct the user to the login page.

Chun
  • 1,968
  • 3
  • 17
  • 18
  • This will block images etc from loading in blog posts if they have attached imagery, for example a featured image for logged out users. – Daniel Dewhurst Dec 16 '15 at 10:33
  • 1
    @DanielDewhurst Did you not notice the OP's first sentence...? `For my Wordpress site, I currently force ALL users to log in to view any page or post` – Ray May 15 '17 at 16:08
  • 2
    @Ray I must've not done. It should also be noted that this is not secure in anyway. Checking for existence of a cookie is not something you should rely on, depending on the sensitivity of the data. – Daniel Dewhurst May 17 '17 at 11:31
  • @DanielDewhurst understandable – Ray May 17 '17 at 12:28