Save 40% on Pro WordPress plugins with discount code: BLACKFRIDAY21
Web Dev + WordPress + Security

Protect WordPress Media Files

[ Protect WordPress Media Files ] This is an experimental technique that I am playing with. It’s the simplest possible way that I could think of to protect all files in the WordPress Media Library using only Apache/.htaccess. I’ve been testing the code on an image-heavy site and so far there are no issues. So I want to put the code out there for others to test and hopefully provide feedback if anything less than perfect. It’s a super simple method that prevents media files from being accessed from anywhere other than the site at which they are hosted.

What it Does

This technique adds a slice of code to your main .htaccess file. The code checks if the URI request is for any file inside of the WP Media Library, specifically any file located in the /wp-content/uploads/ directory. If the request is for a media file, the code then checks if the referrer matches your site URL. If it doesn’t match, the image request is from some other site, and thus will be blocked. This technique works because the site hosting the images always is the referrer for image requests.

The Code

Here is the .htaccess code to protect WP media files. Make sure to read the Pros and Cons before using this technique.

# Protect WP Media Files
# https://m0n.co/protect-media-files
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_URI} /wp-content/uploads/ [NC]
	RewriteCond %{HTTP_REFERER} !^https://example.com [NC]
	RewriteRule .* - [F,L]
</IfModule>

Add that to your site’s main .htaccess file, change example.com to match your site, and done. You can (and should) test the technique by visiting pages that display your media files. Also try requesting the media files directly. Also you can test hotlinking of your images by using a free online hotlink checker. Test well and please report any bugs, issues, etc.

How it Works

For those interested in how the code works, here is a line-by-line breakdown:

  • Open the <IfModule> container if mod_rewrite exists
  • Make sure the rewrite engine is enabled (see note)
  • Check if the requested URI is for anything in the WP Media Library
  • Check if the referrer matches the site URL
  • If both of the previous conditions are true, the request is denied via 403 “Forbidden” response
  • Close the <IfModule> container

So the technique is very simple and lightweight. Again, remember to change the example.com with the actual URL of the site. Then test well.

Note: It’s okay to have more than one RewriteEngine On rule declared in your .htaccess file. Apache simply ignores once the Rewrite Engine is enabled.

Pros & Cons

There are some pros and cons to techniques like this. First the Pros:

  • Pro — Protects against hotlinking
  • Pro — Prevents direct image access (i.e., no referrer)
  • Pro — Helps to ensure images are display only on your site
  • Pro — Super simple, lightweight and fast

And the Cons:

  • Con — Prevents images from appearing in image search results
  • Con — Prevents direct image access (i.e., no referrer)
  • Con — Experimental, not well tested (as of 2021/11/21)
  • Con — It’s possible for bad actors to fake/spoof the referrer

So it’s a limited use-case scenario, where you want to retain as much control and protection for your images as possible. Notice that some items are on both pro and con lists. This is because whether pro or con depends on your goals, strategy, and so forth. For example, Andy may like to see his images appear in image-search results. While April on the other hand, would rather not.

Also keep in mind that this technique is not 100% guarantee of anything. It is just as strong as other anti-hotlink and image-protect techniques, but could be bypassed by anyone with the ability to spoof a referrer. Spoofing a referrer is one of the oldest tricks in the book, however most requests don’t bother spoofing anything. So the technique generally should be effective.

Related Infos

Jeff Starr
About the Author
Jeff Starr = Web Developer. Book Author. Secretly Important.
USP Pro: Unlimited front-end forms for user-submitted posts and more.

3 responses to “Protect WordPress Media Files”

  1. Hi Jeff,

    Thank you for this. I like the simplicity of your solution. I’m wondering about something. There’s a WordPress security plugin I like to use, which has a ‘Prevent Image Hotlinking’ feature. Their solution also writes to the .htaccess file and produces a slightly longer piece of code that looks like this:

    #AIOWPS_PREVENT_IMAGE_HOTLINKS_START
    <IfModule>
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
    RewriteCond %{HTTP_REFERER} !^http(s)?://(.*)?\.mywebsite\.com [NC]
    RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
    </IfModule>
    #AIOWPS_PREVENT_IMAGE_HOTLINKS_END

    I’m wondering how this code works differently from yours and if it would have different pros and cons.

    Thanks again,

    Dave

  2. Hi Jeff, me again,

    So I decided to use the hotlink checker you referenced to test the security plugin’s code and your code on a live site.

    Turns out the security plugin’s code doesn’t actually stop hotlinking from happening and your code does. So I guess that answers my question about the difference between the two ; )

    At the same time, I’m assuming the developers of the security plugin did test their solution and found it satisfactory, so I’m still curious about your thoughts too…

    • Jeff Starr
      Jeff Starr 2021/11/22 11:03 am Reply

      Hey Dave, great to hear from you. I hope you are doing well.

      Not sure what’s up with your security plugin’s .htaccess rules. Looks like the logic is a bit off though. Would need to do some testing to be sure. Best advice would be to ask the plugin providers why it’s not working, they should be able to resolve any logical inconsistencies.

Leave a reply

Name and email required. Email kept private. Basic markup allowed. Please wrap any small/single-line code snippets with <code> tags. Wrap any long/multi-line snippets with <pre><code> tags. For more info, check out the Comment Policy and Privacy Policy.

Subscribe to comments on this post

Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Digging Into WordPress: Take your WordPress skills to the next level.
Thoughts
Making great strides on my new book. Planned release in December :)
To organize my life, I keep it simple. online: plain text files, offline: sticky notes.
Official list of Googlebot IP addresses.
Lot of 1s in today’s date 20211111.
Working on a new book :)
I enjoy listening to original Star Trek and NG episodes while working online. After a while it feels like I’m working on the ship as part of the crew, going on adventures.
New version (2.6) of my shapeSpace starter theme now available! Always free & open source for everyone :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.