How Can I Prevent Direct URL Access to My Files from Outside My Website?

This solution will prevent direct URL access to the files in your list on Apache web servers, which are most.

Locking Down Your Files

First, create a text file named htaccess.txt

Next, add this content:

# Simple File List Access Restricter

RewriteEngine On

# 1) If NOT the current host
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://\1/.*

# 2) Deny access to these types
RewriteRule \.(gif|jpg|jpeg|png|tif|pdf|wav|wmv|wma|avi|mov|mp4|m4v|mp3|zip?)$ - [F]

In the last line, you can change the file types that you want to restrict.

Next, put this file in your file list’s folder.
The default location is: wp-content/uploads/simple-file-list/

Rename the file to: .htaccess
Note that this will make it a hidden file. If it disappears, don’t panic. Turn on “Show Hidden Files” to see it.

Now flush your cache and try to access a file directly. You should get a Forbidden Error, but you should be able to open and download files from the pages on your site.

NOTE: This will break the email links in the Send Files function and within your file upload notices (since they are direct links), but everything on your site will work as normal.

IMPORTANT: If you are trying to protect access from your own users this solution can be easily circumvented. Users who can create posts or pages can create links to the files from their pages, then access the file by clicking on the link.

7 thoughts on “How Can I Prevent Direct URL Access to My Files from Outside My Website?”

    • It’s like locking your door. If someone really wants to get in, they will. This is a good time to point out that you never want to have any sensitive documents posted on a publicly accessible web server.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.