How to Protect Your Media Files on WordPress Multisite

Protecting your WordPress files is a breeze with our Prevent Direct Access (PDA) Gold plugin no matter how many files you have or whether they are PDF, ZIP, MP3 or MP4 files.

It’s slightly more complicated when it comes to WordPress Multisite. Having said that, if you can set up a WordPress Multisite network, you can easily update these simple configurations for PDA Gold to work perfectly.

Configure WordPress Multisite Rules

Here is a step-by-step process that allows you to protect your Media Files on WordPress Multisite:

Step 1: Get our PDA Gold Pro license or other licenses with Multisite extension ready.

If you activate your 3-or 10-site PDA Gold license without our Multisite extension on a network, you will get the following errors:

  • No one can access the private links (404 error)
  • Our File Access Permission is not working properly, i.e. anyone can access the protected link.

For version 3.0 and above

Step 2: Copy the rules on your PDA Gold Setting page then move on to step 3.

Below is the default rules.

# Prevent Direct Access Rewrite Rules
RewriteRule ^(?:[_0-9a-zA-Z-]+/)?private/([a-zA-Z0-9-_]+)$ index.php?pda_v3_pf=$1&pdav3_rexypo=ymerexy [L]
RewriteCond %{REQUEST_FILENAME} -s
RewriteCond %{HTTP_USER_AGENT} !facebookexternalhit/[0-9]
RewriteCond %{HTTP_USER_AGENT} !Twitterbot/[0-9]
RewriteCond %{HTTP_USER_AGENT} !Googlebot/[0-9]
RewriteRule ^wp-content/uploads(?:/sites/[0-9]+)?(/_pda/.*\.\w+)$ index.php?pda_v3_pf=$1 [L]
# Prevent Direct Access Rewrite Rules End 

If you make any changes to your setting, you should copy the rules on the plugin instead.

For version 2.x.x 

Step 2: Once you install & “network activate” our plugin, you should be able to find these htaccess rules under our settings on every single site of your network.

Every single website of your network has it own “Site Rules” while “Basic Rules” are the same for all the sites. You should update the “Site Rules” on your main htaccess file whenever you create a new site on your network. This is very important as our plugin won’t be working on sites that’s not had its htaccess “Site Rules” updated on the main htaccess file.

RewriteRule private/site/1/([a-zA-Z0-9-_]+)$ /index.php?pre_dir_acc_61co625547=$1 [R=301,L]
RewriteRule private/site/2/([a-zA-Z0-9-_]+)$ local1/index.php?pre_dir_acc_61co625547=$1 [R=301,L]
RewriteRule private/site/3/([a-zA-Z0-9-_]+)$ local2/index.php?pre_dir_acc_61co625547=$1 [R=301,L]
[Put LINE 1 of your new site "Site Rules" here]
These 4 lines are "basic rules" which is always here and never change]
RewriteCond %{REQUEST_FILENAME} -s
RewriteCond %{HTTP_USER_AGENT} !facebookexternalhit/[0-9]
RewriteCond %{HTTP_USER_AGENT} !Twitterbot/[0-9]
RewriteCond %{HTTP_USER_AGENT} !Googlebot/[0-9] RewriteRule wp-content/uploads(.+)(\.)([A-Za-z0-9]+)$ site2/index.php?pre_dir_acc_61co625547=$1&is_direct_access=true&file_type=$3 [QSA,L]
RewriteRule wp-content/uploads/sites/2/(.+)(\.)([A-Za-z0-9]+)$ site2/index.php?pre_dir_acc_61co625547=$1&is_direct_access=true&file_type=$3 [QSA,L]
RewriteRule wp-content/uploads/sites/3/(.+)(\.)([A-Za-z0-9]+)$ site3/index.php?pre_dir_acc_61co625547=$1&is_direct_access=true&file_type=$3 [QSA,L] [Put LINE 2 of your new site "Site Rules" here]

Step 3: Put the above rules on your main .htaccess file as follows:

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]
 >>> Please put our htaccess rules here <<<
 RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]

That’s about it. Now our Prevent Direct Access Gold should be working perfectly on your WordPress Multisite Network as usual.

PS: If you change your Private URL Prefix on our Settings page, you need to replace the word private on the htaccess rewrite rules above accordingly.

Network Deactivate PDA Gold

As per WordPress rule, if you network activate any plugins, you have to network deactivate them too.

If you intend to network deactivate our plugin, it’s highly recommended to unprotect your files on your individual sites beforehand.

There will be a warning when you try to network deactivate our plugin.

When you deactivate our plugin, we have to move your protected files from our _pda folder back to their normal location.

That’s why there could be a timeout error in case there are a lot of protected files on multiple sites in your network.

As a result, some protected files may be not moved back successfully which would potentially cause some file-not-found issues.

Lasted updated on March 5, 2021