Personal Blog

How do I stop my uploaded WordPress files from being accessed by users who are not logged in?

One of the security loopholes with WordPress is that while you can prevent pages and posts from being accessed by unauthorised users who are not logged in, any uploaded files (such as images and PDFs etc.) are still available to anyone who has the URL. If the URL is picked up by search engines, it means that the content of PDFs and other files you wish to keep out of public view may be indexed and cached too.

To protect your uploaded WordPress files from users not logged in

In the directory you wish to protect (eg. /wp-content/uploads/private) create a .htaccess file and insert the following content:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^.*uploads/private/.*
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule . /index.php [R,L]
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

When a user calls for the uploaded file, WordPress checks to see the users log in status. If they are not logged in. they are redirected to index. If you want to force all users to log in. There is a plugin available to do this.

http://wordpress.org/extend/plugins/force-user-login/