Securing documents
-
Greetings. I am running an “Intranet on the Internet” group of sites for only people that I have created accounts for. Using the plugins “Members Only” and “Force User Login Multisite” it’s pretty well restricted. However, if someone knows the URL of a media file, PDF, etc, they can grab it without even authenticating. What I did to try and prevent this was to use apache’s mod_rewrite and insert the following (I have 3 live sites, so I’m using my “playground” site to test):
RewriteCond %{REQUEST_URI} /playground/.*
RewriteCond %{HTTP_COOKIE} !.*wordpress_logged_in_.*
RewriteRule .* https://site/wp-login.php [R,L]
When a user authenticates to WordPress they get a cookie called wordperss_logged_in_… so I figured if I had Apache check for that cookie, and if it wasn’t there, redirect the user to the login page, that would solve my problem. But instead, depending on my exact configuration attempt, I either get infinite redirects or nothing at all happens, and I’m having trouble figuring out why. Please advise if you can.
For the sake of completeness, here is my full .htaccess file:
RewriteEngine OnRewriteBase /
RewriteRule ^index\.php$ - [L]# uploaded files
RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^[_0-9a-zA-Z-]+/(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^[_0-9a-zA-Z-]+/(.*\.php)$ $1 [L]
RewriteRule . index.php [L]# testing for playground cookies
RewriteCond %{REQUEST_URI} /playground/.*
RewriteCond %{HTTP_COOKIE} !.*wordpress_logged_in_.*
RewriteRule .* https://site/wp-login.php [R,L]php_value upload_max_filesize 64M
php_value post_max_size 64M
php_value max_execution_time 300
php_value max_input_time 300
- The topic ‘Securing documents’ is closed to new replies.