At Flying change Webs & Graphics, we often work with organizations that offer information for staff or membership only. WordPress has some nice password protection functions that are easy to use. However, the problem comes when using PDF files that need to be password protected as well as unseen on search engines. Sure, you can password protect a page, which protects the link. But if someone has the direct link to the pdf file, there is nothing to “stop” this direct link from seeing the document.
Surprisingly, this is a function that is lacking in wordpress and I have yet to find a plugin that will protect actually protect the pdf from both direct links from non-members and search engine indexing.
The search engine indexing problem was taken care of by adding a robot.txt file that excluded the upload folder.
To protect the pdfs, I created an .htaccess file in the wp-content folder (ask your web host for access through the control panel) and placed this code:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?mywebsite.org/ [NC]
RewriteCond %{REQUEST_URI} !hotlink.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx|mp4|mov) [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule .*.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx|mp4|mov)$ http://mywebsite.org/ [NC]
Voila! Password protected and search engine safe!
(The description below also works, but takes more work. I prefer the method above).
The password protecting the pdfs were a little more difficult. Since I couldn’t find a wordpress plugin to do the trick, I think I have come up with a suitable workaround. It takes two easy steps:
- Using the Media File Manager plugin to create a members only directory in my upload folder and used their basic instructions to move the client’s pdf files into the special folder.
- Logging into the host control panel, I could navigate to the special folder and password protect the entire folder – just like I would for a non-wordpress website.
Cheryl says
Very helpful, but how do I find the url for the upload folder?
Debbie says
The upload folder is a standard WP folder and can be found by going to your root installation folder of wp > wp-content > upload.
Ying-Fu Li says
Hi,
What do you mean by ‘logging into the host control panel’? That is beyond the scope of WordPress?
Debbie says
The control panel is the area provided by your web hosting company where you can access the files on the backend.
Jami Gold says
Thank you so much for this! The code worked perfectly.
I just discovered an hour ago that the PDFs and .XLSs I *thought* were protected behind a password-protected page, in fact, weren’t protected at all. And search engine results were feeding people straight to my documents.
I was close to a full-on panic when I found these instructions. Thank you, thank you, thank you!
Debbie says
Glad it helped!
jantien says
thanks a million Debby!
it worked for me too, felt very relieved after the same panic occurred to me as with Jami.
Is it still working for the current version of WP? (just to be sure)
Kieron says
Thanks, this was really helpful to me today.
Joel says
Hi, Just wanted to ask, do I put the code for the .htaccess file as is or do I need to change anything in the code?
Thanks for your help.
Joel says
Please disregard the last questions, I changed the url from the sample provided to my site. Note, I’m using a WordPress Multisite install with Subdomains. Also does it make a difference if I use www or no www for the site url?
Thanks
Debbie says
If you use it as is the (www)? puts that question into play and should take care of it either way. How is it working for you on multisite? I’ve only used it with single sites.
Lee says
Looks like this would preclude having a pdf link in a public area of your site. We have some areas open to public view and some requiring membership to our homeowners association. If I read this correctly all pds, xls, etc would require login. I don’t see an easy solution to allow some pdfs to be public.
Debbie says
You would only place the files you need protected into the special directory. Others that are public an be loaded into the media directory as usual.
BJ says
Thanks a lot. Your suggestion helped me control access to the content folder on my wordpress site.
Debbie says
I always love hearing that what is posted has helped!
Pavitra Motwani says
Your solution is to protect all the assets in the Media Library. However, if we want some documents protected and some don’t (can be searchable by search engines) as well, then what is the solution.
Please email me your reply. Thanks in advance
Debbie says
You can either upload your theme file using ftp or compress the theme folder (.zip) and upload it as a new theme right into wordpress. These options only load the theme files, not the uploads folder or database.
Debbie says
The second option (below the .htaccess solution) works. There is also a plugin called WP FileBase that is now available and works very well for this.
Martin Hansson says
Hi 🙂
I can make this work, and have them shown only when logged in but hotlinking directly to the files fx writing http://mysite.dk/wp-content/uploads/2015/09/filename.pdf directly in the browser, then downloading starts. How can that be prevented?
Martin
Debbie says
WP Filebase is a plugin I’ve discovered since writing that blog article – it works great. Give it a try: https://wordpress.org/plugins/wp-filebase/
Matt says
Excellent work around, I adjusted the code so it only applies to PDFs but it works a treat.
Thanks!
Debbie says
Always makes my day when something I post helps another!
Deborah says
This is fantastic … works on a directory outside of WordPress, too. For instance, mysite.com/documents. Thanks so much.
Donna says
Thanks so much!! I’m done panicking now too — and maybe my sales will pick up again since they can’t get the info for free!
Debbie says
Terrific!
Sharon says
Hello Debbie, the files I want to protect are sellable on woocommerce. If it gets sold ..will it require the buyers to login to access
Also a quick one, the snippet ‘ mywebsite.org/ [NC]’ in the code, do I need to add my website url? (im a newbie working up to design my website)
Debbie says
Yes they would need to be logged in. Are you selling access (like membership) or a single document? There are other ways to handle this if you’re selling downloads and/or access. S2Member (pro) is a great membership/access program that allows for things like this as well. And … yes the url would be your own website address.
Sharon says
Thank You for responding Fast….im selling single files(pdf) with woocommerce. please which other ways do you know I can restrict access to my files from my wordpress library.
Debbie says
I believe WooCommerce has some of those capabilities built in. https://docs.woocommerce.com/document/digital-downloadable-product-handling/
Crystal says
Hi,
I used your code at the top before reading that it would also pw protect images. I have deleted the .htaccess file that I created but it seems that the rewrite is still applied…. How do I undo this? What is the opposite of the code above?
Debbie says
You may need to clear your cache. Also, you can use that code but change the 2 lines with
(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx|mp4|mov) to include just (pdf).