I’ve got the following .htaccess file in my a custom directory in Uploads called client.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(www.)?example.co.uk/client-area*
RewriteRule ^.*$ - [R=403,L]
ErrorDocument 403 'http://www.example.co.uk/client-area/'
So if someone tries to access a file in the uploads/client/ directory from anywhere else other than the client-area page, they get redirected.
However, I want to ignore this when I’m using when using the WordPress function download_url to access a file in that directory from within functions.php. Is there a rewrite condition I can use to facilitate this?
You can add another
RewriteCondon theQUERY_STRINGproperty.https://wiki.apache.org/httpd/RewriteQueryString
Edit: I misunderstood the question. I thought you were passing
download_urlin the URL. You could just exclude from your RewriteRule the entire directory where downloadable files are located.E.g.
By the way, I wouldn’t really depend on
HTTP_REFERERto filter content, it can be easily modified/spoofed by the client. The regex in theRewriteCondI added, will match letters, numbers, dashes, underscores, pluses and forward slashes. It specifically will not match"..". This is to prevent relative URIs from access other files outside ofwp-content/uploads. (I think Apache will actually expand the URI and then try to match the expanded URI against your rules.)If I understand it correctly you are calling a WP function
download_urland want to skip this rule from 403.The thing is that Web server (Apache) won’t know if request is coming due to you calling
download_urlfunction.As a workaround you will need to pass some query parameter to help out
mod_rewriterules but that is not a safe approach as any visitor of your website can also do the same by passing same query paramter.