‘Private’ uploaded files (PDFs, images, etc.) will normally be only included in private posts and pages. But the files themselves can still be accessed by anyone if they know the corresponding URLs.
For example, a PDF file’s URL might be
and anyone could download that file because WordPress does not get a chance to check their authorisation.
The solution that the Private Uploads plugin uses involves moving any private files to a separate folder, and then configuring the web server to ask WordPress to authenticate access to files in that folder.
So the file’s URL might now be
and an HTTP server rewrite rule will convert this to
The Private Uploads plugin will intercept that URL and reject it with a 403 status code.
This plugin is more efficient than some similar ones because it only has to run when serving files in the private folder(s): the web server handles other uploaded files (ones not in the private folders) directly.
- Sufficient access to the web server to allow the required configuration.
- This plugin was inspired by a discussion on StackExchange.
- Currently, access to private files just depends on the
is_user_logged_in()function. This plugin could be developed to give more fine-grained control, such as having a folder for each user.
Install the plugin in the usual way and activate it.
Move your private uploads (PDFs, images, or whatever) into a separate sub-folder within the WordPress uploads folder (usually /wp-content/uploads). One way of creating such a folder and moving the private files is by means of the Media Organiser plugin.
Then configure your web server as follows:
Include a line like this in the server section of the Nginx configuration:
rewrite ^/wp-content/uploads/(private)/(.*)$ /?pucd-folder=$1&pucd-file=$2 break;
The folder name ‘private’ can be anything you like — it just has to match the name of the folder where your private files are kept, and be enclosed in parentheses in the rewrite statement.
More than one private folder can be configured by adding more lines of the same form, for example:
rewrite ^/wp-content/uploads/(2017/secure)/(.*)$ /?pucd-folder=$1&pucd-file=$2 break;
Enchiridion has supplied the following configuration for Apache. Thank you.
Here’s an equivalent rule for Apache to add to your existing rules:
RewriteRule ^wp-content/uploads/(private)/(.*)$ /?pucd-folder=$1&pucd-file=$2 [L]
Or you can copy/paste this entire block into your
.htaccess file. Add before the
# BEGIN WordPress block:
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / # Block unauthenticated user access to the /private/ uploads folder RewriteRule ^wp-content/uploads/(private)/(.*)$ /?pucd-folder=$1&pucd-file=$2 [L] </IfModule>
Other web servers
are left as an exercise for the reader.
Contributors & Developers
“Private Uploads” is open source software. The following people have contributed to this plugin.Contributors
Translate “Private Uploads” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Tested with WordPress 5. Documentation tidied up.
- First public release.