Out of the box, Paid Memberships Pro will give you many options to lock down your WordPress posts and pages. You may need to restrict access to protected files as well. This recipe will show you how to lock down files in your WordPress media library using Paid Memberships Pro.


Understanding File Protection

Protecting files in your WordPress site requires a few additional restriction steps at the server level. We don’t enable file protection by default in core PMPro because of these server considerations. In order to protect files, you will need:

  1. The ability to add rewrite rules by editing the .htaccess file.
  2. The ability to edit the WordPress wp-config.php file.
  3. Enough memory on your server to serve files through a PHP script.
  4. To make sure your uploads folder is not served by a CDN (e.g. with WP Engine and some other hosts)

With respect to item 3 above, the amount of memory available to your site will limit how large of a file you can serve protected. For example, after enabling file protection, you may be able to serve a 1MB image, but not a 50MB PowerPoint document. We recommend testing a few files that are the size you intend to share to make sure your server has enough memory to support file protection.

Note that this method is only applicable to files uploaded through the “Media” library in your WordPress site. If you wish to lock down files and directories outside of WordPress, you can view the tutorial here.


How to Lock Files for Members Only

Follow the steps below to add file protection for members only to your WordPress membership site.

  1. Add this line to your wp-config.php file


  2. For sites hosted with Apache, add this code to your .htaccess file, above the # BEGIN WordPress line.

    Make sure there are no line breaks/text wrap after adding this rule to your .htaccess file. This rule may need to be adjusted for sites that have WordPress installed in a subdirectory or if the paths on your setup are different.

    For sites hosted with NGINX, add this code to your NGINX config file, below the other WP rules. Again, this rule may need to be adjusted for sites that have WordPress installed in a subdirectory or if the paths on your setup are different.


  3. Alternately, you can adjust the .htaccess rule to lock specific file types only.

    The following rule will lock down only pdf, doc, docx, ppt, and zip files.This adjustment avoids running images and other static files that might be in your uploads folder through the getfile.php script, which can slow sites down. You can change the protected file extensions to the specific file types you need to protect.


  4. Here is the version of that rule you would use for NGINX servers:


  5. Make sure your files are “attached” to protected posts. Files uploaded from the edit post screen are attached to that post. Files uploaded to the Media Library directly are unattached. To check a file’s attachment, find it in the Media Library and check the “Uploaded To” tab. From there, you can detach it or attach it to the correct protected post.

Once you’ve completed these steps, test the protection by uploading a file to a page or post that requires membership to access. The attached file will require the same membership level(s) to view.

Be careful when trying to protect images. Besides potentially putting strain on your server if you have a lot of images that don’t need protection, WordPress will create resized versions of image files, and PMPro is not clever enough yet to associate the resized versions with the attached post.


How this Method of File Protection Works

What’s happening here is that any link to a file in /wp-content/uploads/.../ will be routed through the getfile.php script before it loads in the browser. That script figures out the post the file is attached to, then checks if the logged-in user has access to that post. If so, the file is served through the script. If not, a 503 error is shown.


Let me know how this works for you. If you have any issues, post something to the forums here. We will try to help you through any issues you are having.

Note that this kind of functionality is highly reliant on your server setup and you may need to hire a developer or pay extra to have someone set this up fully.

Tagged . Bookmark the . Last updated: .