nestor_at_mash

wow, I too think this is exactly what I need!! Thank you!
In fact, I think this is what WP should add to the core ASAP.
It’ll take me a while to package this into a plugin and add it to my site, but this is the approach I’ll take for sure.
If I manage to make a decent plugin, I’ll add it to the thread where your suggestion is found.

… of course I’ll check the plugins repository first. Somebody might’ve done it already.
thanks again!

fyllhund, thx again for your suggestions.

The last bit is not going to work, because I can’t limit access by IP address. My users are supposed to be able to access the site from anywhere.

I’ll try the rest of the “Auth..” directives to see what they actually do. The problem I forsee is that the ACL for WP is in its database and is not part of Linux (users logged onto WP are not necessarily logged onto Linux on the web server). So I would need to figure out how to tell Apache to read the WP database for the users. If I need to enter all users into a separate file it would be unmanageable ??

thx fyllhund for your reply!
My problem is not trying to avoid people from listing the contents of the uploads folder.
Instead, I need to avoid legitimate users from copying the link to any particular file (e.g. mysite.com/wp-content/uploads/mysupersecretcontent.pdf), sending the link to anybody else, then having those people grab the file from outside WP.

As far as I know, adding an index.php file would only limit the ability of users to list the contents of wp-content\uploads if they don’t add the actual file to the end of the URL.

Regarding the second part of your suggestion, I can’t limit access to the uploads folder for everybody, because I still need logged in users to be able to access the files. What I need to forbid is letting users not logged in to access the files.