How Can I Prevent Direct URL Access to My Files from Outside My Website?

This solution will prevent direct URL access to the files in your list on Apache web servers, which are most.

NOTE – On Apache web servers, Simple File List will do this automatically for you whenever you restrict access to a list.

Locking Down Your Files

First, create a text file named htaccess.txt

Next, add this content:

# File Access Restricter

RewriteEngine On

# 1) If NOT the current host
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://\1/.*

# 2) Deny access to these types
RewriteRule \.(gif|jpg|jpeg|png|tif|pdf|wav|wmv|wma|avi|mov|mp4|m4v|mp3|zip?)$ - [F]

In the last line, you can change the file types that you want to restrict.

Next, put this file in the folder where your files are located.

Rename the file to: .htaccess
Note that this will make it a hidden file. If it disappears, don’t panic. Turn on “Show Hidden Files” to see it.

Now flush your cache and try to access a file directly. You should get a Forbidden Error, but you should be able to open and download files from the pages on your site.

NOTE: This will break any incoming links to your files which may be on web pages or within emails messages since they are direct links.

IMPORTANT: If you are trying to protect access from your own WordPress users this solution can be easily circumvented. Users who can create posts or pages can create links to the files from their pages, then access the file by clicking on the link.

17 thoughts on “How Can I Prevent Direct URL Access to My Files from Outside My Website?”

    • Please keep in mind that this only works on Apache servers. It will work if properly implemented. If you have a different server type you will need to configure that server specifically.

      Reply
  1. Hi,

    funktioniert super ;-).
    Aktuell kopiere ich nach einem Upload die .htaccess automatisch in den jeweiligen Upload-Ordner.
    Kann man die .htaccess so anpassen, dass alle Unterordner mit einbezogen werden?

    Danke und Grüße

    Reply
  2. i am using xampp to run the apache server
    therefore i had to edit httpd.conf

    remove the comment
    # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

    and change edit the line to
    Options Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

    Reply
  3. # Simple File List Access Restricter

    RewriteEngine On

    # 1) If NOT the current host
    RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://1/.*

    # 2) Deny access to these types
    RewriteRule .(gif|jpg|jpeg|png|tif|pdf|wav|wmv|wma|avi|mov|mp4|m4v|mp3|zip?)$ – [F]

    não teria que ter um lugar onde colocar a URL do noso site pra funcionar?

    Reply
    • Wouldn’t there have to be a place where to put the URL of our site to work?

      No. This rule will apply to anyone who reaches the folder. The domain name does not matter.

      Não. Esta regra se aplica a qualquer pessoa que acessar a pasta. O nome de domínio não importa.

      Reply
    • It’s like locking your door. If someone really wants to get in, they will. This is a good time to point out that you never want to have any sensitive documents posted on a publicly accessible web server.

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.