I’ve got the following .htaccess file in my a custom directory in Uploads called client.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !(www.)?example.co.uk/client-area*
RewriteRule ^.*$ - [R=403,L]
ErrorDocument 403 'http://www.example.co.uk/client-area/'
So if someone tries to access a file in the uploads/client/ directory from anywhere else other than the client-area page, they get redirected.
However, I want to ignore this when I’m using when using the WordPress function download_url
to access a file in that directory from within functions.php. Is there a rewrite condition I can use to facilitate this?
You can add another
RewriteCond
on theQUERY_STRING
property.https://wiki.apache.org/httpd/RewriteQueryString
Edit: I misunderstood the question. I thought you were passing
download_url
in the URL. You could just exclude from your RewriteRule the entire directory where downloadable files are located.E.g.
By the way, I wouldn’t really depend on
HTTP_REFERER
to filter content, it can be easily modified/spoofed by the client. The regex in theRewriteCond
I added, will match letters, numbers, dashes, underscores, pluses and forward slashes. It specifically will not match".."
. This is to prevent relative URIs from access other files outside ofwp-content/uploads
. (I think Apache will actually expand the URI and then try to match the expanded URI against your rules.)If I understand it correctly you are calling a WP function
download_url
and want to skip this rule from 403.The thing is that Web server (Apache) won’t know if request is coming due to you calling
download_url
function.As a workaround you will need to pass some query parameter to help out
mod_rewrite
rules but that is not a safe approach as any visitor of your website can also do the same by passing same query paramter.