Restrict access to files/folders in directory to logged-in users only

  • Hello!

    We have a resource website for our clients who purchase our software with tutorial/training videos, updates, and software documentation. Our older documentation is in PDF format and uploaded to wp-content, and our latest are created using MadCap Flare and the files are stored in folders on the server under root. We use Ultimate Member to manage our users, and both PDA Access Restriction and Prevent Direct Access Gold plugins by BWPS to restrict access to logged-in users only. Up until a month ago, everything worked fine.

    Last month, users started getting 404/403 errors when trying to access the files, and we were able to access the files without being logged in. The issue persists even with all other themes/plugins disabled, so we reached out to PDA support. They are trying to help figure out the issue, but it has been weeks and we are growing frustrated (along with our users).

    What other options do we have? I can’t seem to find other plugin options via Google so a point in the right direction would be very helpful. Can this be accomplished by custom code instead of a plugin? Any ideas or help would be greatly appreciated. Thank you in advance!

    WordPress version 6.2, Divi theme and plugins are all up-to-date. SiteGround hosting with Sucuri firewall.

Viewing 2 replies - 1 through 2 (of 2 total)

  • My recommendation would be to contact the support again. Since the plugin should control the access, their developers should be able to say something about it. It would also be possible, for example, an update of a server component on your system whereby their plugin is no longer executable. How their plugin works at this point, however, only their developers can say.

    Unfortunately, I am not currently aware of any alternative.

    Moderator bcworkz

    (@bcworkz)

    If you want to custom code a solution, the simplest is to use AuthType Basic or Digest authentication in .htaccess files to protect a folder’s files. The problem is the users and passwords are completely independent of WP, though I suppose WP could be coded to update the requisite .htpasswd file to match that of its users. WP would only be able to do this when users set/change their password since their plain text password is needed to generate the correct hash.

    Such a solution does not make for a good user experience IMO. They’d need to supply user/password separate from the WP login and the dialog box is not very user friendly, it confuses many people and there is nothing you can do to alter it.

    The other possibility is to place files in a protected folder that only PHP and FTP can access. To serve a restricted file to a user, PHP/WP, after verifying user capability, reads the file contents and relays it out to the user as a data stream. As long as the proper headers are sent first, this should work fine. It’s likely what the plugin you’ve been using does.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Restrict access to files/folders in directory to logged-in users only’ is closed to new replies.