Prevent Direct Access plugin provides a simple solution to prevent Google and other search engines from indexing and unwanted users from accessing your files without permission.
Protect WordPress Media Library File Uploads
Prevent Direct Access (PDA) is designed to protect your media files such as images (PNG, JPEG), documents (PDF, DOCX, PPTX), audios, and videos (MP4, MP3) that you upload to your website, via either Media library or Pages/ Posts.
Once protected, only the file’s author can access their files directly by default. Unauthorized users will be redirected to a No Access page when attempting to view and download these files.
Since PDA Lite version 2.7.7, you can protect unlimited files under your Media Library. Check out our Gold version which offers file protection on the fly and many other advanced features.
Installation
- Under your WordPress admin dashboard, click Add New under Plugins
- Search “Prevent Direct Access” in the repository
- Click Install Now
- Once you’ve installed our plugin, click Activate
Web Server Support
Since version 2.7.4, Prevent Direct Access supports Nginx, IIS and Apache servers.
While our rewrite rules are inserted automatically for Apache servers, you have to implement these rules manually for Nginx and IIS servers.
NGINX Support
Follow the steps below to make our file protection work properly on your NGINX-server sites.
- Copy the rewrite rules shown on Prevent Direct Access settings page
- Find your website’s Nginx config file which is often located at
/etc/nginx/site-availableor/etc/nginx/conf/site-available(if you’re using Arch Linux) - Paste the copied rules in the server block
server {
location / {
...
}
#Put our rewrite rules here, i.e.
rewrite wp-content/uploads/_pda(\/[A-Za-z0-9_@.\/&+-]+)+\.([A-Za-z0-9_@.\/&+-]+)$ "/index.php?pda_v3_pf=$1&is_direct_access=true&file_type=$2" last;
rewrite private/([a-zA-Z0-9-_.]+)$ "/index.php?pda_v3_pf=$1" last;
}
Restart your Nginx server. Our Prevent Direct Access should be now working on your website.
IIS Support
In order for our Prevent Direct Access Lite to work properly on your IIS web server, please put the following additional codes on your web.config file located at your WordPress website’s root folder.
If the web.config file does not exist, simply create a new one.
<?xml version="1.0"?> <configuration> <system.webServer> <rewrite> <rules> <!-- START - Prevent Direct Access Lite rules - START --> <rule name="Imported Rule 1" stopProcessing="true"> <match url="private/([a-zA-Z0-9]+)$" ignoreCase="false"/> <action type="Rewrite" url="index.php?pda_v3_pf={R:1}" appendQueryString="false"/> </rule> <rule name="Imported Rule 2" stopProcessing="true"> <match url="wp-content/uploads/_pda(\/[A-Za-z0-9_@.\/&+-]+)+\.([A-Za-z0-9_@.\/&+-]+)$" ignoreCase="false"/> <action type="Rewrite" url="index.php?pda_v3_pf={R:1}&is_direct_access=true&file_type={R:2}" appendQueryString="true"/> </rule> <!-- END - Prevent Direct Access Lite rules - END --> <rule name="wordpress" patternSyntax="Wildcard"> <match url="*"/> <conditions logicalGrouping="MatchAll" trackAllCaptures="false"> <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true"/> <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true"/> </conditions> <action type="Rewrite" url="index.php"/> </rule> </rules> </rewrite> </system.webServer> <system.web> <compilation debug="true"/> </system.web> </configuration>
Settings
Under your WordPress admin dashboard, click on “Prevent Direct Access” menu in the left sidebar to configure its settings.
FILE PROTECTION
(1) Set File Access Permission
Allow you to choose who can access your protected files by default. User roles options include:
- Admin users
- The file’s author (by default)
Upgrade to our Gold version to grant your protected file access to:
- Logged-in users
- No one (means no person is allowed to access your private files)
- Anyone (means our plugin only blocks search indexing)
- Custom Roles
(2) Customize “No Access” Page
Allow you to select which page, post to display when users have no access to your protected files or when they click on expired private download links. In other words, unauthorized users will be redirected to this “No Access” page.
The default “No Access” page is your website’s 404 error page.
In our Gold version, you can even redirect users to custom links.
OTHER SECURITY OPTIONS
(1) Disable Copy and Right Click
Turn on this option to disable text selection and right-clicks on all your web pages. It makes it harder for visitors to copy your content, thus prevent content thieft.
(2) Restrict Media Library Access
By default, WordPress allows users who can access Media Library to see all files there.
Enable this option to restrict users to only see their own uploads. Admins will still have complete access to all files.
(3) Prevent Image Hotlinking
Prevent other people from stealing and using your images or files without permission. It means other people cannot copy and embed your file URLs in their own websites anymore. The images won’t be displayed. Other documents won’t be accessible either.
(4) Disable Directory Listing
Turn on this option if you do not want others to browse and view all of WordPress folders and subdirectories.
Upgrade to our PDA Gold version to get more advanced setting options.
Plugin Walkthrough
Here’s how to activate and use our Prevent Direct Access (PDA) Free version.
First of all, go to Media to protect your files. You can choose to protect files either in List View or Grid View.
Media Library Grid View
- Click on a file that you want to protect, and then tick Protect this file checkbox
- After being protected, the file will be highlighted with a red border
- Simply untick Protect this file checkbox if you want to unprotect the file.
Please note that if you get stuck with “Protecting…” status, it might be because the file that you want to protect does not exist or there is a conflict with other plugins.
You can switch to Media List View to see the error message.
Media Library List View
- Choose List View option under Media Library
- A new column named Prevent Direct Access will be created by our plugin. To protect a specific media file, simply click on Configure file protection and click on Protect this file
- Once a file is protected, the plugin will automatically generate a private URL containing random strings for users to access the private file directly. You can copy the private URL to clipboard and paste it on their browsers or email by clicking on the Copy to clipboard button.
- If you want to unprotect the file, simply click on Unprotect this file
You can refer to our FAQ for more information.
Lite version Logic & Limitations
- The default File Access Permission (FAP) of all protected files is set to its author
- Even admin users who are not the file’s author cannot access the file directly
- To grant admin users access to files whose FAP is “The file’s author”, simply add the following code snippet to your (child) theme functions.php file or plugins like Code Snippets.
add_filter( 'pda_handle_file_author_permission', function ( $is_allowed ) { $current_user = wp_get_current_user(); if ( empty( $current_user ) ) { return $is_allowed; } if ( is_super_admin( $current_user->ID ) ) { return true; } $user_login = $current_user->roles; foreach ( $user_login as $role ) { if ( 'administrator' === $role ) { return true; } } return $is_allowed; } );
- You cannot auto-generate or customize new Private Download Link with our PDA Lite
- You can’t set or edit its Download Limit and Expiry either. As a result, anyone can access the Private Download Links without any restriction.
Refer to the complete features comparison between our PDA Gold vs Lite version.
