On a members only site logged in members can access the files in the uploads folder, if not logged in they are redirected to the login screen. I'm using the following in the .htaccess file to do that:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?http://example\/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(doc|xls|pdf|html|htm|xlsx|docx|mp4|mov|rtf|ppt|pptx) [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule .*\.(doc|xls|pdf|html|htm|xlsx|docx|mp4|mov|rtf|ppt|pptx)$ / [NC]
</IfModule>
# END WordPress
This works great, but I now have a scenario where I need to allow some files from the uploads directory to be accessible to anybody, these files will always be linked to from the home page.
Is there a way I can do this using the file name? Maybe only allowing access to files that are prepended with public_ for example?
Any other ideas about how to solve this?
Cheers
On a members only site logged in members can access the files in the uploads folder, if not logged in they are redirected to the login screen. I'm using the following in the .htaccess file to do that:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?http://example\/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(doc|xls|pdf|html|htm|xlsx|docx|mp4|mov|rtf|ppt|pptx) [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule .*\.(doc|xls|pdf|html|htm|xlsx|docx|mp4|mov|rtf|ppt|pptx)$ http://example/member-login/ [NC]
</IfModule>
# END WordPress
This works great, but I now have a scenario where I need to allow some files from the uploads directory to be accessible to anybody, these files will always be linked to from the home page.
Is there a way I can do this using the file name? Maybe only allowing access to files that are prepended with public_ for example?
Any other ideas about how to solve this?
Cheers
Share Improve this question edited Dec 12, 2016 at 19:45 leanda asked Dec 12, 2016 at 19:37 leandaleanda 1377 bronze badges1 Answer
Reset to default 1This actually does not work great at all as the existence of the cookie does not indicate that the user is logged in, or even that he was ever logged in. All it indicates is that someone somehow set that cookie. To know that the user accessing the file is actually logged in or ever was, you need to actually validate the content of the cookie something that you cannot do in .htaccess.
Granted, that is good enough for probably 95% of the use cases, but if you "hide" something that might be worth "money," you should rethink it.
In theory, the right solution is to avoid putting private information into the uploads directory, and have only public info there. The private info you serve from a URL you define in WordPress, for example a specific page, or with a special rewrite rule, after you check the credentials of the user.
For inspiration, you can look at how the EDD plugin serves its file to people that paid for them.y