The best way to protect uploaded media in WordPress?

I’m new to WordPress as I normally code my stuff by hand, I’ve been uploading some media to display links to within protected pages, which is great, however, anyone can access the direct url of the media. Does anybody have a suggestion how to stop this? I’m reluctant to just go hacking into .htaccess.

Related posts

Leave a Reply

1 comment

  1. The first thing you need to do is disable direct access to the directories the files are stored in by uploading blank index.html files to wp-content/uploads/ and all of its subdirectories. That way no one can go browsing around your upload directories finding that media manually.

    In order to keep search engines from crawling your protected pages and users viewing it for free in searches, you may also want to add noindex meta tags to the section of your protected pages:

    <meta name="robots" content="noindex">
    

    Or you can disallow the protected pages manually, or the protected directory as a whole by adding them to your robots.txt file.

    To prevent hotlinking of images and other media, you’re going to need to upload the premium media to a specific directory, then simply add the following ReWrite rule to your .htaccess file:

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://(www.)?domain/wp-content/uploads/premium/.*$ [NC]
    RewriteRule .(gif|jpe?g|png)$ - [F]
    

    Add as many file extensions as you’d like on the last line, separated by pipes. Obviously, you also want to replace your_domain.com in the code above.

    If you’d like those who hotlink to see a “no hotlinking”, use the following code in your .htaccess file:

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http://(www.)?domain.com/wp-content/uploads/premium/.*$ [NC]
    RewriteRule .(gif|jpg)$ http://www.domain.com/no-hot-linking.jpg [R,L]
    

    You can also change the final line of the above code to a specific URL you’d like to re-direct visitors to, like your homepage or a landing page asking users to become a premium member to view the content.