How to Protect Your Media Files on WordPress Multisite

Protecting your WordPress files is a breeze with our “Prevent Direct Access” plugin no matter how many files you have or whether they are PDF, ZIP or Video files.

It’s slightly more complicated when it comes to WordPress Multisite. Having said that, if you can set up a WordPress Multisite network, you can easily update these simple configurations so that Prevent Direct Access works perfectly with WordPress Multisite.

Here is a step-by-step process that you can protect your Media Files on your WordPress Multisite:

Step 1: Purchase and get our Prevent Direct Access Gold as well as your Developer, Pro or Unlimited-site license ready.

Please note that you will need either a Developer/Pro/Unlimited-site license or PDA Multisite extension to use our Gold on your WordPress Multisite Network.

If you activate your 3-or 10-site PDA Gold license without our Multisite extension on a network, you will get the following errors:

  • No one can access the private links (404 error)
  • Our File Access Permission is not working properly, i.e. anyone can access the protected link.

For version 3.0 and above

Step 2: Copy these rules then move on to step 3:

# Prevent Direct Access Rewrite Rules
RewriteRule ^(?:[_0-9a-zA-Z-]+/)?private/([a-zA-Z0-9-_]+)$ index.php?pda_v3_pf=$1&pdav3_rexypo=ymerexy [L]
RewriteCond %{REQUEST_FILENAME} -s
RewriteCond %{HTTP_USER_AGENT} !facebookexternalhit/[0-9]
RewriteCond %{HTTP_USER_AGENT} !Twitterbot/[0-9]
RewriteCond %{HTTP_USER_AGENT} !Googlebot/[0-9]
RewriteRule ^wp-content/uploads(?:/sites/[0-9]+)?(/_pda/.*\.\w+)$ index.php?pda_v3_pf=$1 [L]
# Prevent Direct Access Rewrite Rules End

For version 2.x.x 

Step 2: Once you install & “network activate” our plugin, you should be able to find these htaccess rules under our settings on every single site of your network.

Every single website of your network has it own “Site Rules” while “Basic Rules” are the same for all the sites. You should update the “Site Rules” on your main htaccess file whenever you create a new site on your network. This is very important as our plugin won’t be working on sites that’s not had its htaccess “Site Rules” updated on the main htaccess file.

RewriteRule private/site/1/([a-zA-Z0-9-_]+)$ /index.php?pre_dir_acc_61co625547=$1 [R=301,L]
RewriteRule private/site/2/([a-zA-Z0-9-_]+)$ local1/index.php?pre_dir_acc_61co625547=$1 [R=301,L]
RewriteRule private/site/3/([a-zA-Z0-9-_]+)$ local2/index.php?pre_dir_acc_61co625547=$1 [R=301,L]
[Put LINE 1 of your new site "Site Rules" here]

These 4 lines are "basic rules" which is always here and never change]
RewriteCond %{REQUEST_FILENAME} -s
RewriteCond %{HTTP_USER_AGENT} !facebookexternalhit/[0-9]
RewriteCond %{HTTP_USER_AGENT} !Twitterbot/[0-9]
RewriteCond %{HTTP_USER_AGENT} !Googlebot/[0-9]

RewriteRule wp-content/uploads(.+)(\.)([A-Za-z0-9]+)$ site2/index.php?pre_dir_acc_61co625547=$1&is_direct_access=true&file_type=$3 [QSA,L]
RewriteRule wp-content/uploads/sites/2/(.+)(\.)([A-Za-z0-9]+)$ site2/index.php?pre_dir_acc_61co625547=$1&is_direct_access=true&file_type=$3 [QSA,L]
RewriteRule wp-content/uploads/sites/3/(.+)(\.)([A-Za-z0-9]+)$ site3/index.php?pre_dir_acc_61co625547=$1&is_direct_access=true&file_type=$3 [QSA,L]
[Put LINE 2 of your new site "Site Rules" here]

Step 3: Put the above rules on your main .htaccess file as follows:

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

>>> Please put our htaccess rules here <<<

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]

That’s about it. Now our Prevent Direct Access Gold should be working perfectly on your WordPress Multisite Network as usual.

PS: If you change your Private URL Prefix on our Settings page, you need to replace the word private on the htaccess rewrite rules above accordingly.

Lasted updated on November 22, 2019