I have a restricted area on a website that can only be accessed by logged in users. For that I created a page template with a ‘current_user_can()’ condition.
My problem is that the documents attached to the restricted pages are still accessible to anyone if you put the complete path into the browsers address bar.
Is there a way to restrict the access to uploaded files ?
EDIT : I want to clarify, the files should be accessible only to logged in users.
This isn’t really a WordPress question – but you can add a rewrite rule to prevent access unless the referrer is your own domain.
[Update]
You’ll need to do 2 things
Add a rewrite rule (either directly with .htaccess or by using WP_rewrite (Codex reference). The aim here is to deny requests to your documents that don’t have your domain as a referrer – this stops people pasting the link into a browser’s address bar
Wrap your download links in an
is_user_logged_in(Codex reference) conditional block – that way they will only show up on the page if the user is logged inA code example is available in a related question:
I would change upload dir for one outside the www folder. Then you “send” the file using a “proxy” page. The proxy page check is the user is logged then it send the file using header()/readfile().
You may use hot-linking protection using your webserver of choice.
See this StackOverflow answer:
https://stackoverflow.com/questions/1775582/apache-hotlink-protection-for-download-folder.
This is using apache2 .htaccess
Basically, you are denying the download, if the user is non coming from a page of your blog!
The registered user only plugin looks only to make sure that a visitor is logedin before viewing your page content. Access to your files via a browser is controled by the server.
You should try the WP plugin AskApache Password Protect – http://wordpress.org/extend/plugins/askapache-password-protect/
Of course this will only work if your WordPress blog is hosted on an Apache server.