Grant Access to Protected Files under WordPress Folders based on Referrer Links

PDA Access Restriction 1.3.0 extends the ability to get control over the folder protection by restricting access to certain referrer links. In other words, you will be able to deny file access under private folders to specific visitors based on where they come from.

In this article, we will walk you through the following sections on how this function works in more depth.


What are referrer links?

Referrer URL is the address of the webpage that sends users to your website. For example, you find our PDA Gold on the WordPress plugin repository. By clicking on the anchor text “Check out our Gold version now”, you’ll be redirected to our Features page. The link is a referrer link.

In case you embed files such as images, galleries, etc, in the content, the content URL will become the referrer link of these embedded files.

Grant file access based on referrer links

Once activating our plugins, navigate to Prevent Direct Access Gold >> Settings from your admin dashboard and switch to Folder Protection tab.

You will see the option to set whitelisted referrer links at the bottom of this page.

Firstly, select which folders you want to protect and save your selection.

Once saved, the folder name will display in the dropdown under “Allow Referrer Links” option. Select the desired folder and apply the proper referrer rule.

There are 3 referrer rules, including:

(1) Disable referrer links

By default, this feature is disabled. Only whitelisted user roles can access all files within the protected folders.

(2) Allow all referrer links

If you apply this rule, users can access your protected files as long as they’ve visited the content in which these files are embedded. Users won’t be able to share the file URLs with other people without your permission.

(3) Allow specific referrer links

You define the specific referrer URLs which your users have to visit in order to access your protected files.

* matches any sequence of characters (including the blank sequence)If your whitelisted referrer link is*, all referrer links under this domain are valid.


When you block or grant someone access by referrer links, you might come across the Referrer-Policy term. Its value tells browsers which referrer information is included with the page request.

This referrerpolicy="no-referrer-when-downgrade" value is set by default. In other words, referrer links won’t be sent with the requests from HTTPS to HTTP due to the protocol security. If you allow users to access your private folder from*, for example, the folder must be hosted on an HTTPS website too.

Limitation: This feature won’t work properly if you use referrerpolicy="origin"

Target = “_blank” and rel=”noreferrer noopener”

From the WordPress version 4.7.4, when users set target=”_blank” to a hyperlink, rel=”noreferrer noopener” will be added automatically into the link too. This is part of a security issue fix of TinyMCE on 23rd Nov 2016.

This default WordPress feature will also prevent you from whistling or blocking users via referrer links as well.

Lasted updated on November 5, 2020