WordPress – Locking files for non-logged in users

Many a times… you would have set up your WordPress site with access levels, memberships … And also would have given links to certain documents on he protected pages . Of course you have restricted the pages and posts to only logged in users. But , if we copy the download link ( direct to the document or image or any media for that matter) , the resource would be shown to any user irrespective of the logged in status.

That is in fact a security issue. There are  many plugins which restricts the users  … and also which restrict folders etc … but plugins cannot come into a picture like this, where in the request is to the server directly to a media resource…

Also, these documents could be crawled and shown by search engines irrespective of your user access and memberships.

The need for us to restrict files / folders within our app could be easily done using the .htaccess file.

For those who are new to .htaccess file, you could have a good understanding of the same !. Below you would find some helpful links to give you a fair idea…

1. The wiki would be anybody’s first choice

2. Apache tutorial has a good section for it.

3. A Comprehensive Guide for the same.

4. A site dedicated for .htaccess !

First type is the Basic Blocking :

Here we would restrict all requests for files of certain extensions to be blocked and shown the 403 – forbidden page message. Create a .htaccess file and have it under the root directory of WordPress.

# These next two lines will already exist in your .htaccess file
RewriteEngine On
RewriteBase /
# Add these lines right after the preceding two
RewriteCond %{REQUEST_FILENAME} ^.*(pdf|doc|docx)$
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule . - [R=403,L]

This would make sure that all files which has extensions pdf, doc and docx be blocked to users of wordpress who are not logged in. You could add as many extensions as possible.

Here , it would be nice if you would show a better message page that the Apache’s 403 page. For that , we could have a new page with a different template and then change the ‘ Rewrite Rule ‘ point to this new page.

# These next two lines will already exist in your .htaccess file
RewriteEngine On
RewriteBase /
# Add these lines right after the preceding two
RewriteCond %{REQUEST_FILENAME} ^.*(pdf|m4a|jpg|gif|jpeg|doc|docx|png)$
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule . logintoview.php [R,L]

OR WITH SLUGS extensions could be omitted…

# These next two lines will already exist in your .htaccess file
RewriteEngine On
RewriteBase /
# Add these lines right after the preceding two
RewriteCond %{REQUEST_FILENAME} ^.*(pdf|m4a|jpg|gif|jpeg|doc|docx|png)$
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule . logintoview [R,L]

Now , ALL REQUEST for pdf , doc and docx would be blocked for normal users !.. The situation would be such that your site would have several posts and [ages and several documents which are open for the public / guests ! Now in such a scenario this would not work out !

At that point , it is better to have a folder under your ‘uploads’  which would contain all the protected files. Now if you place the same .htaccess file under the folder which needs to be protected , then the other normal media would be untouched…

Have a great business requirement translated ! 🙂  Enjoy !

Advertisements

About mytechlifedays

Its been a wonderful learning period over the last 6 years in the IT industry , getting exposed to whole lot of technologies and ideas. The hurdles and the crisis that came along have been wonderful experience ... And now its time to pen them down so that let some others execute faster and easily with these information .....
This entry was posted in PHP and tagged , . Bookmark the permalink.

Leave a Reply ! It would be always appreciated ! :)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s