How to protect WordPress media files and only allow the users who uploaded them to view

Hello! In the past we have written about how to protect your WordPress media files. In the past exercises we utilized a strategy to set a session cookie with encrypted details that can be read and validated at the http service (i.e. nginx) as well as application (php/wordpress) level. Since then we have refined this process to be much more secure, flexible and efficient. We have abandoned the cookie validation process for verifying the request before serving it and replaced it with a slightly more complicated but much more secure method. First before getting into the details, why would we want to protect WordPress media files? Well the answer depends on what sort of site you have and what you are trying to do, obviously. In our scenario, which isn’t necessarily unique, we have end-users that register for an account in order to check out of a Woocommerce store. We […]

Protect and lock down your WordPress media files

Hello! Occasionally it was necessary for us to lock down some or all of the WordPress media library from public viewing, indexing. The reasons why this would be necessary can vary from sensitive information leakage to private user information protection (i.e. custom user media files uploaded on a per user account basis). Either way, there is a relatively straightforward way to lock down the visibility and permissions of files or folders in your media library from either being indexed (And disclosed more easily to the public for access) or randomly accessed through browsing the wp-content/uploads folder. Remember this folder usually (by default) has directory index enabled. This means you can usually visit a WordPress site, manually access the folder and browse the files and folders therein in order to see if any sensitive information is contained within. Sometimes its not enough to simply edit your robots.txt to not allow […]