How to protect wp-content/uploads?

Resolved peerv
(@peerv)

9 years, 2 months ago

Just installed this great plugin and went thru all the great features but could NOT find a feature to protect wp-content/uploads.
If I need to add my own firewall rule how should that look like.
My Buddypress website is protected thru login but the media library is publicly accessible!
Thanks

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Contributor mbrsolution
(@mbrsolution)

9 years, 2 months ago

Hi, this plugin does not protect /wp-content/uploads/ folder. You could search in the following URL https://ww.wp.xz.cn/support/. This question has been asked many times in the past.

Let me know if you need more help.

Regards

Thread Starter peerv
(@peerv)

9 years, 2 months ago

That is a disappointment! This plugin does so many nice things protecting a WP site thru htaccess settings, a /uploads protection would be a minor addition I would think.
Most of the plugins providing /uploads protection are outdated!

I did set the “Prevent Hotlinks” feature, but I am still able to access the images with a direct link to the image!?
Is that not what this function should do, protecting against direct link access?

This I find in my htaccess:

#AIOWPS_PREVENT_IMAGE_HOTLINKS_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://wp\.********** [NC]
RewriteRule \.(gif|jpe?g?|png)$ – [F,NC,L]
</IfModule>
#AIOWPS_PREVENT_IMAGE_HOTLINKS_END
Plugin Contributor mbrsolution
(@mbrsolution)

9 years, 2 months ago
Hi, Prevent Hotlinks feature only stops the image from being displayed on websites in other servers. Another words if someone decided to add an image from your site to their site the link would not work. It would default to plain text. This would prevent leakage of bandwidth and resources from your site. This does not stop anyone from accessing an image URL from your site.

Remember if you go to [www.yoursite.com/wp-content/uploads/] you will get an error message. This is actually protecting the uploads folder. Make sure that in Filesystem Security tab you have set up the correct permissions as per plugin recommendations.

Let me know if you need more help.

Kind regards
- This reply was modified 9 years, 2 months ago by mbrsolution.
aldemarcalazans
(@aldemarcalazans)

9 years, 2 months ago
Hi peerv. I guess one of the codes below might help you. They block direct file access to anything (folders or files) inside wp-content/uploads folder, for not logged in users.

# RETURNS A FORBIDDEN TO A NOT LOGGED IN USER
```
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteCond %{REQUEST_URI} ^(.*/wp-content/uploads/.+)$ [NC]
RewriteRule ^(.*)$ - [R=403,L]
```
# REDIRECT A NOT LOGGED IN USER TO THE LOGIN PAGE
```
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteCond %{REQUEST_URI} ^(.*/wp-content/uploads/.+)$ [NC]
RewriteRule ^(.*)$ wp-login.php [R=temporary,L]
```
# REDIRECT A NOT LOGGED IN USER TO AN INFORMATION PAGE ON YOUR SITE
```
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteCond %{REQUEST_URI} ^(.*/wp-content/uploads/.+)$ [NC]
RewriteRule ^(.*)$ your-page-informing-the-need-of-login [R=temporary,L]
```
These codes were based on the article below:

https://wpguru.co.uk/2012/01/how-to-prevent-direct-file-access-in-your-wp-content-directory/

You can add this code to your .htaccess using the feature “Custom Rules” of the plugin. Note that the third code can not be used directly: you must substitute “your-page-informing-the-need-of-login” by a real page of your site.
- This reply was modified 9 years, 2 months ago by aldemarcalazans.
- This reply was modified 9 years, 2 months ago by aldemarcalazans.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘How to protect wp-content/uploads?’ is closed to new replies.