Paid Memberships Pro gives you many options for protecting WordPress posts, pages and 26 other types of content right out of the box. For some sites, you may want to restrict access to protected files as well. For example, maybe you want to upsell members access to a PDF workbook download or companion audio guide.

In this guide, we provide an overview of how file protection currently works with Paid Memberships Pro, a recipe to help you lock down files in your WordPress media, and details on how to limit the number of downloads a member can access using Paid Memberships Pro.

Locking Down (Protecting) Files with PMPro Banner Image

Table of contents

Understanding File Protection With WordPress and PMPro

Protecting files in your WordPress site requires a few additional restriction steps at the server level. At this time, we don’t enable file protection by default in core PMPro because of these server considerations.

If you upload an image, PDF, video, or any other media to protected content, the media file’s source remains unprotected. A member could find the direct URL of your media in the HTML page source and share that link.

If you want to prevent direct access to files that are part of a protected post, you’ll need to address file protection via a few steps, including:

  1. Adding custom rewrite rules by editing the .htaccess file in your WordPress site’s home folder.
  2. Editing the WordPress wp-config.php file to define a constant that PMPro uses to protect media.
  3. Ensuring your web server must have enough memory to serve files through a PHP script.
  4. Verifying that your uploads folder is not served by a CDN (e.g. with WP Engine and some other hosts).

With respect to item 3 above, the amount of memory available to your site will limit how large of a file you can serve protected. For example, after enabling file protection, you may be able to serve a 1MB image, but not a 50MB PowerPoint document.

We recommend testing a few files that are the size you intend to share to make sure your server has enough memory to support file protection.

Note that this method is only applicable to files uploaded through the “Media” library in your WordPress site. If necessary, we have a companion tutorial on how to lock down files and directories outside of WordPress.

How to Lock Files for Members Only

Follow the steps below to add file protection for members only to your WordPress membership site.

1. Add this line to your wp-config.php file


2. For sites hosted with Apache, add this code to your .htaccess file, above the # BEGIN WordPress line.

Make sure there are no line breaks/text wrap after adding this rule to your .htaccess file. This rule may need to be adjusted for sites that have WordPress installed in a subdirectory or if the paths on your setup are different.

For sites hosted with NGINX, add this code to your NGINX config file, below the other WP rules. Again, this rule may need to be adjusted for sites that have WordPress installed in a subdirectory or if the paths on your setup are different.


3. Alternately, adjust the .htaccess rule to lock specific file types only.

The following rule locks down only pdf, doc, docx, ppt, and zip files.This adjustment avoids running images and other static files that might be in your uploads folder through the getfile.php script, which can slow sites down.

You can change the protected file extensions to the specific file types you need to protect.


4. Here is the version of that rule you would use for NGINX servers:


5. Make sure your files are “attached” to protected posts.

Files uploaded from the edit post screen are attached to that post. Files uploaded to the Media Library directly are unattached. To check a file’s attachment, find it in the Media Library and check the “Uploaded To” tab. From there, you can detach it or attach it to the correct protected post.


6. Test file protections.

Once you’ve completed these steps, test the protection by uploading a file to a page or post that requires membership to access. The attached file will require the same membership level(s) to view.

Be careful when trying to protect images. Besides potentially putting strain on your server if you have a lot of images that don’t need protection, WordPress will create resized versions of image files, and PMPro is not clever enough yet to associate the resized versions with the attached post.

How This File Protection Setup Works

Following these steps means that:

  • Any link to a file in /wp-content/uploads/.../ will be routed through the getfile.php script before it loads in the browser.
  • That script figures out the post the file is attached to.
  • Then, the script checks that there is a logged-in user, and that this user has the right membership level to access that post.
  • If so, the file is served through the script. If not, a 503 error is shown.

Another Method: Use Download Monitor

If you are creating a true library of downloads, check out our integration with Download Monitor.

The Download Monitor Integration Add On for Paid Memberships Pro adds a “Require Membership” meta box to the “Edit Download” page. You’ll use Download Monitor to create, upload, and manage your library of content, and PMPro to protect access for what level or levels can access the download.

Limit The Number of Downloads Members Can Access

We often get asked if there is a way to limit the number of downloads a member can access, either permanently or within a certain time frame. Here’s how

  1. Use the Limit Post Views Add On: This Add On restricts the number of views a member can have for posts, pages, or CPTs (Custom Post Types).
  2. Combine with File Protect Rules: When a member views a post with a protected download, it counts against their total allowed views.

Using PMPro protected files with Limit Post Views allows you to manage the number of downloads by limiting the views of the content that contains them.

Set Up Multiple Membership Levels For Download Access

One final file protection recommendation we have is for sites that want to sell single downloadables. With PMPro v3.0+, we now support multiple memberships per user. Here’s how to sell single downloads with PMPro

Create a Level For Each Download

  • Navigate to Memberships > Settings > Levels in the WordPress admin
  • Create a new membership level for each downloadable file you want to sell.
  • Set the pricing and any necessary billing details for each level.
  • Make sure the Level Group these levels are a part of allows multiple selections. This is the key to allowing people to purchase more than one downloadable within the group, without losing access to their previous purchase.

Create Posts, Pages, or CPTs For Each Download

  • Create a new post or edit an existing post.
  • Upload the file to the post using the WordPress media library. The media must be uploaded through the post itself so that it is “attached” to the post ID in your database.
  • Now, use the Require Membership meta box to restrict access to the specific membership level created for that download.

That’s it. You now have a collection of single membership levels that provide access to single downloadable files.

Get Expert Support for Your File Protection Questions

If you have any issues with the steps in this guide, reach out to our support team. We will try to help you through any issues you are having.

Note that this kind of functionality is highly reliant on your server setup and you may need to hire a developer to set this up fully.

Frequently Asked Questions

What is file protection in Paid Memberships Pro?

File protection in Paid Memberships Pro allows you to restrict access to files uploaded to your WordPress media library, ensuring only members with appropriate access can view or download them.

Why isn’t file protection enabled by default?

File protection requires additional server configuration and can impact site performance, particularly with larger files. Therefore, it is not enabled by default in core PMPro.

How do I verify that files are protected?

Upload a file to a protected post or page and test access. The attached file should require the same membership level as the post to be viewable.

How can I limit the number of downloads members can access?

Use the Limit Post Views Add On in combination with file protection rules to restrict the number of views or downloads a member can access within a specific timeframe.

Are there any limitations to file protection?

Yes, server memory limits can affect the size of files you can protect. Additionally, PMPro may not correctly associate resized image versions with the protected post, potentially leaving some image files unprotected.

Jason Coleman

Author: Jason Coleman

Jason Coleman is the co-founder and CEO of Paid Memberships Pro, the most complete membership platform for WordPress. With a passion for pushing WordPress to its limits, Jason is the author of Building Web Apps With WordPress, published by O'Reilly Media.

Jason's entrepreneurial spirit is driven by uncertainty, risk, and the thrill of new opportunities. With over two decades of experience in development, management, and marketing, he is committed to Paid Memberships Pro: the only open source platform focused on helping creators get paid so they can find freedom in their life and fulfill their goals.

View more articles by Jason Coleman »

Free Course: Membership Site Development—The Basics

Develop a deeper understanding of membership site development in this beginner-level course. Learn how to make your site work better, save yourself time and money, and improve your site's performance.

Take Free Course Now
Featured Image for Membership Site Development Course: The Basics
Was this article helpful?
YesNo