Our Prevent Direct Access (PDA) Gold plugin provides an easy way to help you protect your private files. You can either protect individual or multiple files at the same time with WordPress Bulk Actions. Now you can even protect the entire folder, i.e. all files on that folder, with PDA Access Restriction extension.
Requirements:
- PDA Access Restriction version 1.0.4 or greater
- Prevent Direct Access Gold version 3.0.25.4 or greater
In this article, we’ll show you how to restrict access to entire WordPress folders in popular hosting servers.
Apache – Single Site
After activating our plugins successfully, navigate to Prevent Direct Access Gold >> Settings menu from your admin dashboard.
Then switch to “Folder Protection” tab and protect your private folders with some steps:
Step 1: Select folders that you want to protect
- You can select main folders under WordPress root or uploads directory only.
- Only folders whose name includes lowercase letters (a-z), numbers (0-9), dash (-), and underscore (_) are accepted and displayed under the Select field. If your folders aren’t listed here, please make sure their names follow this rule.
Step 2: Select file types
Our plugin protects all file types in protected folders by default.
But you can choose to protect some certain file types only. The other files will be public to access as usual.
Step 3: Set access permission
After selecting protected objects, you need to define who can access your protected files based on:
- User roles
- Default value: Admin users
- Users
- Default value: No users
This option is applied for all protected files and sub-folders under the selected folders.
To grant different permission to different folders under uploads directory, you need to define our custom constant in wp-config.php file.
Step 4: Set whitelisted referrer URLs (optional)
This option allows you to define who can access your protected files based on where they have come from.
Unlike the file protection of PDA Gold where we move your all protected files into _pda directory, this folder protection method keeps all your file URLs as they are.
We also display the default WordPress media folders such as 2018 and 2019. So if you’re to choose those folders, it may cause UI conflicts with PDA Gold default file protection on the Media library.
“No Access” Rule
If users access a protected file without permission, they will be redirected to the 404 error page or custom “No Access” page depending on your settings.
Multisite
Main site
After configuring and saving the feature options successfully, please go back to the Settings tab to get the rewrite rules and copy it to your .htaccess file as per our instructions.
Subsites
For our feature to work properly on subsites, simply replace the above Folder Protection rules with the following:
# AR Rewrite Rules for Folder Protection # Root Folder Protection RewriteRule ^((your-root-folder-name-1|your-root-folder-name-2)/.*\.\w+)$ index.php?pda_v3_pf=$1 [QSA,L] # Folder Protection under Uploads RewriteRule ^wp-content/uploads(?:/sites/[0-9]+)?(/(your-folder-name-1|your-folder-name-2)/.*\.\w+)$ index.php?pda_v3_pf=$1 [QSA,L] # AR Rewrite Rules for Folder Protection End
Please note that:
- The root folder permission is set on the main site. It doesn’t follow subsites’ permission even if you select them under each subsite.
- There are 2 different file URLs and permissions, even though they’re technically pointing to the same original file:
- http://pda.com/multisite/wp-content/uploads/sites/9/private_files/2020.pdf
This file URL will always return 404 - http://pda.com/multisite/site-9-name/wp-content/uploads/sites/9/private_files/2020.pdf
This file URL will follow the File Access Permission you set under Site 9 – Prevent Direct Access Gold – Folder Protection tab
- http://pda.com/multisite/wp-content/uploads/sites/9/private_files/2020.pdf
Rewrite Rules for WP Engine
For our feature to work on WP Engine and Nginx servers, you have to implement these rewrite rules as follows.
Redirect name: Rules for folder protection
Source:
- For folders under Uploads Directory:
^wp-content/uploads(/(your-folder-name-1|your-folder-name-2)/.*\.\w+)$
- For folders under Root Directory:
^(/(your-folder-name-1|your-folder-name-2)/.*\.\w+)$
Destination: https://www.yourwebsite.com/index.php?pda_v3_pf=$1
Redirect type* 301 Permanent
* “your-folder-name-1” and “your-folder-name-2” are folders you want to protect. Use | to separate each folder name.
Rewrite Rules for NGINX servers
Please follow 3 simple steps below to update folder protection rules in Nginx server:
Step 1: Copy the rewrite rules shown under Folder Protection tab
Step 2: Find and open your website’s Nginx config file which is normally located at /etc/nginx/site-available (or /etc/nginx/conf/site-available if you’re using Arch Linux)
Step 3: Put it inside the server block
server {
location / {
...
}
#Put our rewrite rules here, i.e.
rewrite ((prevent-direct-access)/.*\.\w+)$ "/index.php?pda_v3_pf=$1" last;
rewrite wp-content/uploads(/(protect\s+page\s+and\s+post)/.*\.\w+)$ "/index.php?pda_v3_pf=$1" last;
}
After that, restart your Nginx server. Folder Protection feature should be now working properly on your website.
Other Hosting Servers
- Cloudways
- LiteSpeed
- Plesk
Some hosting providers running on Plesk – with Nginx as a reverse proxy, don’t allow users to customize Nginx rewrite rules. Besides, those using Nginx caching servers such as Cloudways and LiteSpeed will cache your files no matter how they are protected.
If that’s the case, you can still make our Folder Protection work by following the instruction below:
- Select specific folders that you want to protect, which could be in your WordPress root or uploads directory, under our Folder Protection settings tab.
- Create a .htaccess file under these folders with the following rules:
# Apache 2.2 <IfModule !mod_authz_core.c> Order Deny,Allow Deny from all </IfModule> # Apache 2.4 <IfModule mod_authz_core.c> Require all denied </IfModule>
All your files under the folders should be prevented from direct access now. For example, these 2 URLs should return 404 if users don’t have the permission set under our “Folder Protection” settings tab:
- https://your-website.com/abc/ToDo-List.pdf
- https://your-website.com/wp-content/uploads/private-folder/Oner-Page-Business-Plan.pdf
- Access your protected files through our raw URL instead:
https://your-website.com/index.php?pda_v3_pf=/abc/ToDo-List.pdf https://your-website.com/index.php?pda_v3_pf=/private-folder/Oner-Page-Business-Plan.pdf
