Paid Memberships Pro gives you many options for protecting WordPress posts, pages and 26 other types of content right out of the box. For some sites, you may want to restrict access to protected files as well.

In this guide, we provide an overview of how you can protect direct access to members-only files with Paid Memberships Pro. You’ll learn how to use the built-in file protection features to securely share downloadable files, like PDFs, ZIPs, or MP4s, with only specific membership levels.

If you’re new to PMPro’s restricted file system, this is a great place to start.

Locking Down (Protecting) Files with PMPro Banner Image

Table of contents

What Is the PMPro Restricted Files Directory?

PMPro now generates a secure, non-public directory within your WordPress site. This folder meant to store any file that is not intended for public access. We protect these folders and files at the server level, keeping your membership site data and content secure.

Right in the box, PMPro uses this unique folder and the pmpro_can_access_restricted_file filter to allow admin-only access to gateway debug log files, if enabled, for Stripe Webooks or PayPal IPN.

You can use this folder and this same filter to store member-only files, eliminating the need for other download management plugins like Download Monitor or Easy Digital Downloads (EDD).

By default, PMPro creates a private directory here

/wp-content/uploads/pmpro-xxxxxxxxxx/

That xxxxxxxxxx is a unique random string generated for your site so no one can guess the folder’s name. PMPro uses it to keep your files hidden from bots or anyone scanning your uploads folder.

David Parker - Paid Memberships Pro

Membership sites thrive on exclusive content, and protecting that content is crucial. Secure file access ensures your resources are only available to the right members, reinforcing the value of your membership while deterring unauthorized sharing.

—David Parker, Lead Developer at Paid Memberships Pro

How to Protect Member Downloads

Step 1: Locate Your Secure Upload Directory

To find your site’s PMPro restricted directory:

  1. Go to Memberships > Settings > Security in the WordPress admin.
  2. Scroll to the Restricted Files section.
  3. Copy the full path to your unique directory. It will look something like:
/wp-content/uploads/pmpro-3a7f9c1b33/

You’ll use this folder as the base for all restricted files.

Step 2: Create a Custom Folder

Inside your unique PMPro folder, create a subfolder for a specific content type, membership level, or use case. For this demo, let’s use:

premium-downloads

The full path to your new restricted files folder will be:

/wp-content/uploads/pmpro-3a7f9c1b33/premium-downloads/

There are several ways to create and manage this folder. The least technical method is via a File Manager provided by your host or cPanel.

Or, if you are comfortable using an FTP client like Filezilla, you can also create this folder and upload files using SFTP. If you don’t know how to use FTP, refer to this WordPress Developer Resource on FTP clients.

Step 3: Upload Files to the Folder

Add any files you want to restrict access to. Common examples:

  • pricing-guide.pdf
  • member-starter-kit.zip
  • exclusive-training.mp4

Pro Tip: These file names will be used in download URLs you share with members, so do your best to give files a clear name. Avoid using spaces, underscores, or complex capitalization in your file names.

Step 4: Add the Restriction Code

Now, set up the access rules for this premium-downloads folder using the following snippet:

In this snippet, we are looking at the specific folder named premium-downloads. To gain access to your Pricing Guide PDF, the member must be logged-in, have an active membership for either level ID 1, 2, or 3, and be using the correct URL to access it.

If the member does not have one of these levels, or the person attempting to access the file URL is not logged in, the file will not be accessible.

Adding the Recipe to Your Website

You can add this recipe to your site by creating a custom plugin or using the Code Snippets plugin available for free in the WordPress repository. Read this companion article for step-by-step directions on either method.

  • Change the file directory name on line 23 to match your folder structure.
  • Adjust the comma-separated list of level IDs on line 24 to match your levels of access.

You can duplicate lines 23 to 25 for additional folder name and level ID relationships.

Step 5: Test the Download Link

Here’s how to verify everything is working:

Browse your site as a logged-in member of level ID 1, 2, or 3 and visit a file URL like:

https://yourdomain.com/?pmpro_restricted_file_dir=premium-downloads&pmpro_restricted_file=pricing-guide.pdf

The file should download or open in the browser.

Now, copy that URL and try to access it while not logged in to your membership site. Access will be denied and you will see a message “You do not have permission to access this file.”

How To Build Your File Access URLs

When you want to share a restricted file, be it through a download button on your site or in an email to members, it’s accessed through a special PMPro-generated query string. Example:

https://yourdomain.com/?pmpro_restricted_file_dir=premium-downloads&pmpro_restricted_file=pricing-guide.pdf

Here’s what each part of this unique URL means:

  • https://yourdomain.com/: Your site’s domain. This could be your main domain or a subdomain.
  • ? Starts the query string. This is how we pass instructions to WordPress and PMPro.
  • pmpro_restricted_file_dir=premium-downloads: Tells PMPro which subfolder inside your unique restricted files directory to look in. In this case, premium-downloads is the subfolder you created in Step 2.
  • &: Separates one query parameter from the next.
  • pmpro_restricted_file=pricing-guide.pdf: The exact file name inside the subfolder you want to serve. This must match the file name on the server exactly (case-sensitive on some hosting environments).

Pro Tip: Even if someone copies this full URL and tries to share it, PMPro will only deliver the file if they meet the access rules you set in the code snippet.

With just a few lines of code and a structured upload folder, you can serve secure, membership-protected content like a pro.

Generate Restricted File URL

Usually your home URL, ending with a slash (e.g. https://yourdomain.com/).

This is the subfolder inside your PMPro restricted files directory.

Exact filename (watch case and extension).

Copy this URL and use it on buttons, links, or in member emails.

Protecting Files Outside the Restricted File Directory

Before we added the unique restricted files directory, protecting files in your PMPro-powered site required a few additional settings at the server level.

PMPro does not restrict every uploaded image, PDF, video, or any other media, regardless of the post’s content restrictions. If the file is not in the restricted directory, the media file’s source is not protected. Any member can find the direct URL of your media and share that link with the world.

If you have legacy files that you want to protect, you must follow these steps to prevent direct access to files that are part of a protected post. The steps include:

  1. Adding custom rewrite rules by editing the .htaccess file in your WordPress site’s home folder.
  2. Editing the WordPress wp-config.php file to define a constant that PMPro uses to protect media.
  3. Ensuring your web server must have enough memory to serve files through a PHP script.
  4. Verifying that your uploads folder is not served by a CDN (e.g. with WP Engine and some other hosts).

With respect to item 3 above, the amount of memory available to your site will limit how large of a file you can serve protected. For example, after enabling file protection, you may be able to serve a 1MB image, but not a 50MB PowerPoint document.

We recommend testing a few files that are the size you intend to share to make sure your server has enough memory to support file protection.

Note that this method is only applicable to files uploaded through the “Media” library in your WordPress site. If necessary, we have a companion tutorial on how to lock down files and directories outside of WordPress.

Legacy Method: How to Protect Files Outside the Restricted Folder

Follow the steps below to add file protection for media stored outside your site’s unique restricted files location. Once you complete these steps, files will be protected based on the settings for their parent post:

  • Any link to a file in /wp-content/uploads/.../ will be routed through the getfile.php script before it loads in the browser.
  • That script figures out the post the file is attached to.
  • Then, the script checks that there is a logged-in user, and that this user has the right membership level to access that post.
  • If so, the file is served through the script. If not, a 503 error is shown.

Note: This method does not work on a multisite setup.

1. Add this line to your wp-config.php file

2. Add code to your server files based on your server type.

For Apache Servers

For sites hosted on an Apache server, add this code to your .htaccess file, above the # BEGIN WordPress line:

Make sure there are no line breaks/text wrap after adding this rule to your .htaccess file. This rule may need to be adjusted for sites that have WordPress installed in a subdirectory or if the paths on your setup are different.

If you prefer, you can adjust this .htaccess rule to lock specific file types only.

The following rule locks down only pdf, doc, docx, ppt, and zip files.This adjustment avoids running images and other static files that might be in your uploads folder through the getfile.php script, which can slow sites down.

You can change the protected file extensions to the specific file types you need to protect.

For NGINX Servers

For sites hosted on an NGINX server, add this code to your NGINX config file, below the other WP rules:

Again, this rule may need to be adjusted for sites that have WordPress installed in a subdirectory or if the paths on your setup are different.

If you prefer, you can adjust this NGINIX config code to lock specific file types only.

The following rule locks down only pdf, doc, docx, ppt, and zip files.This adjustment avoids running images and other static files that might be in your uploads folder through the getfile.php script, which can slow sites down.

You can change the protected file extensions to the specific file types you need to protect.

3. Make sure your files are “attached” to protected posts.

Files uploaded from the edit post screen are attached to that post. Files uploaded to the Media Library directly are unattached. To check a file’s attachment, find it in the Media Library and check the “Uploaded To” tab. From there, you can detach it or attach it to the correct protected post.

4. Test file protections.

Once you’ve completed these steps, test the protection by uploading a file to a page or post that requires membership to access. The attached file will require the same membership level(s) to view.

Be careful when trying to protect images. Besides potentially putting strain on your server if you have a lot of images that don’t need protection, WordPress will create resized versions of image files, and PMPro is not clever enough yet to associate the resized versions with the attached post.

Related: Locking Down Non-WordPress Files and Folders with Paid Memberships Pro

Limit The Number of Downloads Members Can Access

We often get asked if there is a way to limit the number of downloads a member can access, either permanently or within a certain time frame. Here’s how

  1. Use the Limit Post Views Add On: This Add On restricts the number of views a member can have for posts, pages, or CPTs (Custom Post Types).
  2. Combine with File Protect Rules: When a member views a post with a protected download, it counts against their total allowed views.

Using PMPro protected files with Limit Post Views allows you to manage the number of downloads by limiting the views of the content that contains them.

Set Up Multiple Membership Levels For Download Access

One final file protection recommendation we have is for sites that want to sell single downloadables. PMPro now supports multiple memberships per user. Here’s how to sell single downloads with PMPro:

Create a Level For Each Download

  • Navigate to Memberships > Settings > Levels in the WordPress admin
  • Create a new membership level for each downloadable file you want to sell.
  • Set the pricing and any necessary billing details for each level.
  • Make sure the Level Group allows multiple selections. This is the key to allowing people to purchase more than one downloadable within the group, without losing access to their previous purchase.

Create Posts, Pages, or CPTs For Each Download

  • Create a new post or edit an existing post.
  • Upload the file to the post using the WordPress media library. The media must be uploaded through the post itself so that it is “attached” to the post ID in your database.
  • Now, use the Require Membership meta box to restrict access to the specific membership level created for that download.

That’s it. You now have a collection of single membership levels that provide access to single downloadable files.

Get Expert Support for Your File Protection Questions

If you have any issues with the steps in this guide, reach out to our support team. We will try to help you through any issues you are having.

Note that this kind of functionality is highly reliant on your server setup and you may need to hire a developer to set this up fully.

Frequently Asked Questions

What is file protection in Paid Memberships Pro?

File protection in Paid Memberships Pro allows you to restrict access to files uploaded to your site’s unique restricted files folder. This is the newest method of protecting files. You can also use legacy features to protect WordPress media library, ensuring only members with appropriate access can view or download them.

How do I verify that files are protected?

Test one of your file download links as a member or non-member. The linked file should require the membership level as defined in your pmpro_can_access_restricted_file filter.

How can I limit the number of downloads members can access?

Use the Limit Post Views Add On in combination with file protection rules to restrict the number of views or downloads a member can access within a specific timeframe.

Are there any limitations to file protection?

Yes, server memory limits can affect the size of files you can protect. Additionally, PMPro may not correctly associate resized image versions with the protected post, potentially leaving some image files unprotected.

Kim Coleman

Author: Kim Coleman

Kim Coleman is the co-founder of Paid Memberships Pro, the most trusted membership platform, which powers over 90,000 membership sites worldwide. With over two decades of experience in development, management, and marketing, Kim plays a pivotal role in shaping the product and guiding the team.

She specializes in content creation, video tutorials, and frontend development for the core open-source plugin and its various Add Ons, helping businesses of all sizes build and grow their membership sites.

View more articles by Kim Coleman »

Cover image from ebook 29 Nuggets of Wisdom Volume 1 - Sample Collection

Download the book: Get 29 insights and ‘aha moments’ for new or veteran membership site business owners. Use these nuggets of wisdom to inspire or challenge you.

Available at Amazon

or

Download the PDF Here

Free Course: Membership Site Development—The Basics

Develop a deeper understanding of membership site development in this beginner-level course. Learn how to make your site work better, save yourself time and money, and improve your site's performance.

Take Free Course Now
Featured Image for Membership Site Development Course: The Basics


Was this article helpful?
YesNo