Protect WordPress Media Files

This is an experimental technique that I am playing with. It’s the simplest possible way that I could think of to protect all files in the WordPress Media Library using only Apache/.htaccess. I’ve been testing the code on an image-heavy site and so far there are no issues. So I want to put the code out there for others to test and hopefully provide feedback if anything less than perfect. It’s a super simple method that prevents media files from […]


This content originally appeared on Perishable Press and was authored by Jeff Starr

[ Protect WordPress Media Files ] This is an experimental technique that I am playing with. It’s the simplest possible way that I could think of to protect all files in the WordPress Media Library using only Apache/.htaccess. I’ve been testing the code on an image-heavy site and so far there are no issues. So I want to put the code out there for others to test and hopefully provide feedback if anything less than perfect. It’s a super simple method that prevents media files from being accessed from anywhere other than the site at which they are hosted.

What it Does

This technique adds a slice of code to your main .htaccess file. The code checks if the URI request is for any file inside of the WP Media Library, specifically any file located in the /wp-content/uploads/ directory. If the request is for a media file, the code then checks if the referrer matches your site URL. If it doesn’t match, the image request is from some other site, and thus will be blocked. This technique works because the site hosting the images always is the referrer for image requests.

The Code

Here is the .htaccess code to protect WP media files. Make sure to read the Pros and Cons before using this technique.

# Protect WP Media Files
# https://m0n.co/protect-media-files
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_URI} /wp-content/uploads/ [NC]
	RewriteCond %{HTTP_REFERER} !^https://example.com [NC]
	RewriteRule .* - [F,L]
</IfModule>

Add that to your site’s main .htaccess file, change example.com to match your site, and done. You can (and should) test the technique by visiting pages that display your media files. Also try requesting the media files directly. Also you can test hotlinking of your images by using a free online hotlink checker. Test well and please report any bugs, issues, etc.

How it Works

For those interested in how the code works, here is a line-by-line breakdown:

  • Open the <IfModule> container if mod_rewrite exists
  • Make sure the rewrite engine is enabled (see note)
  • Check if the requested URI is for anything in the WP Media Library
  • Check if the referrer matches the site URL
  • If both of the previous conditions are true, the request is denied via 403 “Forbidden” response
  • Close the <IfModule> container

So the technique is very simple and lightweight. Again, remember to change the example.com with the actual URL of the site. Then test well.

Note: It’s okay to have more than one RewriteEngine On rule declared in your .htaccess file. Apache simply ignores once the Rewrite Engine is enabled.

Pros & Cons

There are some pros and cons to techniques like this. First the Pros:

  • Pro — Protects against hotlinking
  • Pro — Prevents direct image access (i.e., no referrer)
  • Pro — Helps to ensure images are display only on your site
  • Pro — Super simple, lightweight and fast

And the Cons:

  • Con — Prevents images from appearing in image search results
  • Con — Prevents direct image access (i.e., no referrer)
  • Con — Experimental, not well tested (as of 2021/11/21)
  • Con — It’s possible for bad actors to fake/spoof the referrer

So it’s a limited use-case scenario, where you want to retain as much control and protection for your images as possible. Notice that some items are on both pro and con lists. This is because whether pro or con depends on your goals, strategy, and so forth. For example, Andy may like to see his images appear in image-search results. While April on the other hand, would rather not.

Also keep in mind that this technique is not 100% guarantee of anything. It is just as strong as other anti-hotlink and image-protect techniques, but could be bypassed by anyone with the ability to spoof a referrer. Spoofing a referrer is one of the oldest tricks in the book, however most requests don’t bother spoofing anything. So the technique generally should be effective.

Related Infos



This content originally appeared on Perishable Press and was authored by Jeff Starr


Print Share Comment Cite Upload Translate Updates
APA

Jeff Starr | Sciencx (2021-11-21T20:24:04+00:00) Protect WordPress Media Files. Retrieved from https://www.scien.cx/2021/11/21/protect-wordpress-media-files/

MLA
" » Protect WordPress Media Files." Jeff Starr | Sciencx - Sunday November 21, 2021, https://www.scien.cx/2021/11/21/protect-wordpress-media-files/
HARVARD
Jeff Starr | Sciencx Sunday November 21, 2021 » Protect WordPress Media Files., viewed ,<https://www.scien.cx/2021/11/21/protect-wordpress-media-files/>
VANCOUVER
Jeff Starr | Sciencx - » Protect WordPress Media Files. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2021/11/21/protect-wordpress-media-files/
CHICAGO
" » Protect WordPress Media Files." Jeff Starr | Sciencx - Accessed . https://www.scien.cx/2021/11/21/protect-wordpress-media-files/
IEEE
" » Protect WordPress Media Files." Jeff Starr | Sciencx [Online]. Available: https://www.scien.cx/2021/11/21/protect-wordpress-media-files/. [Accessed: ]
rf:citation
» Protect WordPress Media Files | Jeff Starr | Sciencx | https://www.scien.cx/2021/11/21/protect-wordpress-media-files/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts