This solution will prevent direct URL access to the files in your list on Apache web servers, which are most.
Locking Down Your Files
First, create a text file named htaccess.txt
Next, add this content:
# Simple File List Access Restricter
RewriteEngine On
# 1) If NOT the current host
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://\1/.*
# 2) Deny access to these types
RewriteRule \.(gif|jpg|jpeg|png|tif|pdf|wav|wmv|wma|avi|mov|mp4|m4v|mp3|zip?)$ - [F]
In the last line, you can change the file types that you want to restrict.
Next, put this file in your file list’s folder.
The default location is: wp-content/uploads/simple-file-list/
Rename the file to: .htaccess
Note that this will make it a hidden file. If it disappears, don’t panic. Turn on “Show Hidden Files” to see it.

Now flush your cache and try to access a file directly. You should get a Forbidden Error, but you should be able to open and download files from the pages on your site.
NOTE: This will break the email links in the Send Files function and within your file upload notices (since they are direct links), but everything on your site will work as normal.
IMPORTANT: If you are trying to protect access from your own users this solution can be easily circumvented. Users who can create posts or pages can create links to the files from their pages, then access the file by clicking on the link.
i am using xampp to run the apache server
therefore i had to edit httpd.conf
remove the comment
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
and change edit the line to
Options Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
Thanks. Good information.
# Simple File List Access Restricter
RewriteEngine On
# 1) If NOT the current host
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://\1/.*
# 2) Deny access to these types
RewriteRule \.(gif|jpg|jpeg|png|tif|pdf|wav|wmv|wma|avi|mov|mp4|m4v|mp3|zip?)$ – [F]
não teria que ter um lugar onde colocar a URL do noso site pra funcionar?
Wouldn’t there have to be a place where to put the URL of our site to work?
No. This rule will apply to anyone who reaches the folder. The domain name does not matter.
Não. Esta regra se aplica a qualquer pessoa que acessar a pasta. O nome de domínio não importa.
Was about to give up but made a last try with this code and it works perfectly.
Thanks.
It is very easy to bypass by fake referral
It’s like locking your door. If someone really wants to get in, they will. This is a good time to point out that you never want to have any sensitive documents posted on a publicly accessible web server.
This didn’t change the, “copy link”, issue I’m having. The file links can still be copied and shared. How can I overcome this issue?
Use some CSS in your theme to hide the link…
.eeSFL_CopyLinkToClipboard { display:none; }
this would be helpful for me. Where exactly do I put this code? Thanks!
In the file that the directions above direct you to create.
Thanks, searched for this too long 😉