12

I have a restricted area on a website that can only be accessed by logged in users. For that I created a page template with a 'current_user_can()' condition.

My problem is that the documents attached to the restricted pages are still accessible to anyone if you put the complete path into the browsers address bar.

Is there a way to restrict the access to uploaded files ?

EDIT : I want to clarify, the files should be accessible only to logged in users.

mike23
  • 6,059
  • 7
  • 48
  • 71

5 Answers5

7

This isn't really a WordPress question - but you can add a rewrite rule to prevent access unless the referrer is your own domain.

[Update]

You'll need to do 2 things

  1. Add a rewrite rule (either directly with .htaccess or by using WP_rewrite (Codex reference). The aim here is to deny requests to your documents that don't have your domain as a referrer - this stops people pasting the link into a browser's address bar

  2. Wrap your download links in an is_user_logged_in (Codex reference) conditional block - that way they will only show up on the page if the user is logged in

A code example is available in a related question:

Community
  • 1
anu
  • 9,592
  • 8
  • 46
  • 65
3

I would change upload dir for one outside the www folder. Then you "send" the file using a "proxy" page. The proxy page check is the user is logged then it send the file using header()/readfile().

Nicolas
  • 31
  • 1
1

You may use hot-linking protection using your webserver of choice.

See this StackOverflow answer:
https://stackoverflow.com/questions/1775582/apache-hotlink-protection-for-download-folder.

This is using apache2 .htaccess

Basically, you are denying the download, if the user is non coming from a page of your blog!

Community
  • 1
keatch
  • 2,593
  • 2
  • 24
  • 25
1

This worked for me. You can prevent access to the wp-content/upload folder (excluding logged in users) by creating a .htaccess file and adding the following rewrite rule:

# Disable directory browsing
Options -Indexes

Redirect non-logged-in users to the login page


RewriteEngine On
RewriteCond %{HTTP_COOKIE} !^.wordpress_logged_in.$ [NC]
RewriteRule .(pdf|jpg)$ /wp-login.php [L,R=302]
jemcam
  • 11
  • 2
0

The registered user only plugin looks only to make sure that a visitor is logedin before viewing your page content. Access to your files via a browser is controled by the server.

You should try the WP plugin AskApache Password Protect - http://wordpress.org/extend/plugins/askapache-password-protect/

Of course this will only work if your WordPress blog is hosted on an Apache server.

thetitan
  • 1
  • 2