This solution will prevent direct URL access to the files in your list on Apache web servers, which are most.
NOTE – On Apache web servers, Simple File List will do this automatically for you whenever you restrict access to a list.
Locking Down Your Files
First, create a text file named htaccess.txt
Next, add this content:
# File Access Restricter
RewriteEngine On
# 1) If NOT the current host
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://\1/.*
# 2) Deny access to these types
RewriteRule \.(gif|jpg|jpeg|png|tif|pdf|wav|wmv|wma|avi|mov|mp4|m4v|mp3|zip?)$ - [F]In the last line, you can change the file types that you want to restrict.
Next, put this file in the folder where your files are located.
Rename the file to: .htaccess
Note that this will make it a hidden file. If it disappears, don’t panic. Turn on “Show Hidden Files” to see it.
Now flush your cache and try to access a file directly. You should get a Forbidden Error, but you should be able to open and download files from the pages on your site.
NOTE: This will break any incoming links to your files which may be on web pages or within emails messages since they are direct links.
IMPORTANT: If you are trying to protect access from your own WordPress users this solution can be easily circumvented. Users who can create posts or pages can create links to the files from their pages, then access the file by clicking on the link.
This doesn’t block access to the files, period! I can still link to the file from any browser and view it.
Please keep in mind that this only works on Apache servers. It will work if properly implemented. If you have a different server type you will need to configure that server specifically.
Hi,
funktioniert super ;-).
Aktuell kopiere ich nach einem Upload die .htaccess automatisch in den jeweiligen Upload-Ordner.
Kann man die .htaccess so anpassen, dass alle Unterordner mit einbezogen werden?
Danke und Grüße
The .htaccess file should apply to sub-folders already.
i am using xampp to run the apache server
therefore i had to edit httpd.conf
remove the comment
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
and change edit the line to
Options Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
Thanks. Good information.
# Simple File List Access Restricter
RewriteEngine On
# 1) If NOT the current host
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://1/.*
# 2) Deny access to these types
RewriteRule .(gif|jpg|jpeg|png|tif|pdf|wav|wmv|wma|avi|mov|mp4|m4v|mp3|zip?)$ – [F]
não teria que ter um lugar onde colocar a URL do noso site pra funcionar?
Wouldn’t there have to be a place where to put the URL of our site to work?
No. This rule will apply to anyone who reaches the folder. The domain name does not matter.
Não. Esta regra se aplica a qualquer pessoa que acessar a pasta. O nome de domínio não importa.
Was about to give up but made a last try with this code and it works perfectly.
Thanks.
It is very easy to bypass by fake referral
It’s like locking your door. If someone really wants to get in, they will. This is a good time to point out that you never want to have any sensitive documents posted on a publicly accessible web server.
This didn’t change the, “copy link”, issue I’m having. The file links can still be copied and shared. How can I overcome this issue?
Use some CSS in your theme to hide the link…
.eeSFL_CopyLinkToClipboard { display:none; }
this would be helpful for me. Where exactly do I put this code? Thanks!
In the file that the directions above direct you to create.
Thanks, searched for this too long 😉