How Can I Prevent Direct URL Access to My Files from Outside My Website?

This solution will prevent direct URL access to the files in your list on Apache web servers, which are most.

Locking Down Your Files

First, create a text file named htaccess.txt

Next, add this content:

# Simple File List Access Restricter

RewriteEngine On

# 1) If NOT the current host
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://\1/.*

# 2) Deny access to these types
RewriteRule \.(gif|jpg|jpeg|png|tif|pdf|wav|wmv|wma|avi|mov|mp4|m4v|mp3|zip?)$ - [F]

In the last line, you can change the file types that you want to restrict.

Next, put this file in your file list’s folder.
The default location is: wp-content/uploads/simple-file-list/

Rename the file to: .htaccess
Note that this will make it a hidden file. If it disappears, don’t panic. Turn on “Show Hidden Files” to see it.

Now flush your cache and try to access a file directly. You should get a Forbidden Error, but you should be able to open and download files from the pages on your site.

NOTE: This will break the email links in the Send Files function and within your file upload notices (since they are direct links), but everything on your site will work as normal.

IMPORTANT: If you are trying to protect access from your own users this solution can be easily circumvented. Users who can create posts or pages can create links to the files from their pages, then access the file by clicking on the link.

10 thoughts on “How Can I Prevent Direct URL Access to My Files from Outside My Website?”

  1. # Simple File List Access Restricter

    RewriteEngine On

    # 1) If NOT the current host
    RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://\1/.*

    # 2) Deny access to these types
    RewriteRule \.(gif|jpg|jpeg|png|tif|pdf|wav|wmv|wma|avi|mov|mp4|m4v|mp3|zip?)$ – [F]

    não teria que ter um lugar onde colocar a URL do noso site pra funcionar?

    Reply
    • Wouldn’t there have to be a place where to put the URL of our site to work?

      No. This rule will apply to anyone who reaches the folder. The domain name does not matter.

      Não. Esta regra se aplica a qualquer pessoa que acessar a pasta. O nome de domínio não importa.

      Reply
    • It’s like locking your door. If someone really wants to get in, they will. This is a good time to point out that you never want to have any sensitive documents posted on a publicly accessible web server.

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.