6.5 Protecting Files

Created by Danny Wong, Modified on Sun, 9 Aug, 2020 at 2:47 PM by Danny Wong

MemberPress has some powerful features to help you protect static files. MemberPress's file protection works at the web-server level which provides an absolute protection of each file. For example, even if a person without access to a file somehow managed to get a direct link to it, MemberPress would stop them in their tracks, and ask them to register or login (if they've already registered) before being allowed to download that file.

What types of files can MemberPress Protect?

MemberPress can protect any file that is not required for the proper functioning of your website.

Therefore MemberPress can only protect the following file types:

'zip','gz','tar','rar','doc','docx','xls','xlsx','xlsm','pdf','mp4','m4v','mp3','ts','key','m3u8'

If you want to protect any file type that is not listed above, we recommend just zipping them up and protecting a single .zip file instead.

Additionally, you can add some custom code to your theme's functions.php file if you have one, or to a plugin like  My Custom Functions. Here is an example of that code:

function add_types_protectable($types, $rules) {
  $types[] = 'csv';
  
  return $types;
}
add_filter('mepr_rewrite_rules_protect_types', 'add_types_protectable', 11, 2);

After adding that custom code you will need to refresh your WordPress permalinks by going to your WordPress Dashboard > Settings > Permalinks > and simply clicking the 'Save Changes' button at the bottom of that page. 

Note: we don't recommend protecting PHP, HTML, images, javascript, css, fonts or other frequently accessed website files as it will hurt performance.

Back to the top

Protecting a Single File

If you have one file to protect then here's how you'd do it:

  1. Upload the file using the WordPress Media Uploader.
  2. Create a Custom URI Rule to protect the file.

Say the file you uploaded had this URL: http://example.com/wp-content/uploads/2015/10/report.pdf

The Rule you'd create for this file would be a Custom URI type pointing at just the path (part after http://example.com) to the file. So you would type only:

/wp-content/uploads/2014/12/report.pdf

in the text box for this Rule.

Easy, right? Well, for 1 or 2 files this is pretty easy but you can see how this could get seriously time consuming if you needed to protect 20, 100 or even 1000 files. So let's see how you can create 1 Rule to protect multiple files.

Back to the top

Multiple Files

Now let's say you have 10 files and want the same membership level to have access to each.

The idea here is that you'd want to either put each file in a special folder with FTP (recommended), or make sure that each file you upload via the Media Uploader has a common prefix (not recommended unless FTP isn't an option).

Even though we don't recommend protecting multiple files which were uploaded using the Media Uploader in WordPress, we do understand that there may be times you want/need to. Therefore, if you upload these files via the Media Uploader they'd have the following URLs:

http://example.com/wp-content/uploads/2015/10/bronze_report.pdf
http://example.com/wp-content/uploads/2015/10/bronze_report.doc
http://example.com/wp-content/uploads/2015/10/bronze_report.docx
http://example.com/wp-content/uploads/2015/10/bronze_analysis.pdf
http://example.com/wp-content/uploads/2015/10/bronze_analysis.doc
http://example.com/wp-content/uploads/2015/10/bronze_analysis.docx
http://example.com/wp-content/uploads/2015/10/bronze_groupings.pdf
http://example.com/wp-content/uploads/2015/10/bronze_groupings.doc
http://example.com/wp-content/uploads/2015/10/bronze_groupings.docx
http://example.com/wp-content/uploads/2015/10/bronze_archive.zip

Now all you'd have to do is create 1 Custom URI type Rule with this as its path:

/wp-content/uploads/2015/10/bronze_

This will protect any file in the /wp-content/uploads/2015/10/ folder that has a name beginning with "bronze_".

Back to the top

Multiple Files with FTP

FTP/SFTP is a robust way to transfer files from your local computer to your website. Most webhosts provide free FTP services so you can access your site files remotely from your own computer. Availability of FTP can vary from webhost to webhost, and can have different requirements, but typically you'll use an FTP client like FileZilla or Cyberduck and will connect to your server via FTP/SFTP. This will allow you to have filesystem access to your webserver to create folders and upload files in a way similar to how you'd copy files between folders on your own local computer.

In this example we'll use FTP to create a folder named /protected/ and import our files into it so we have the following URLs now:

http://example.com/protected/report.pdf
http://example.com/protected/report.doc
http://example.com/protected/report.docx
http://example.com/protected/analysis.pdf
http://example.com/protected/analysis.doc
http://example.com/protected/analysis.docx
http://example.com/protected/groupings.pdf
http://example.com/protected/groupings.doc
http://example.com/protected/groupings.docx
http://example.com/protected/archive.zip

This scenario can be superior to using the WordPress Media Uploader if you're planning on adding files to your folder later because WordPress's Media Uploader will sometimes put files uploaded at different times in different folders.

So with this example all you'd have to do is create a Custom URI type Rule with this as the path (typed into the text box for the Rule):

/protected/

Now let's look at using some more advanced matching with Regular Expressions.

Back to the top

Regular Expressions

Regular Expressions is a unique and descriptive search syntax commonly used across all modern programming languages to select and process text. It will allow you to protect very specific groups of files with ease.

The idea here is that it will allow you to match patterns in a given URL and protect the URL if it matches one of your Custom URI type Rules with regular expression enabled.

For example, in the FTP example from above, if you wanted to allow some users to have access to just the pdf's and others to have access to your pdf, doc, docx and zip files you could create 2 different regular expression Rules -- the first for one membership level and the second for another.

The first Rule for your first membership level would have a path of something like:

^/protected/.*\.pdf

The second Rule for your other membership level would have a path of something like:

^/protected/.*\.(pdf|doc|docx|zip)

Granted, Regular Expressions can be difficult to master, but they can provide some powerful matching and file protecting capabilities in MemberPress Custom URI type Rules. We've found that http://www.regular-expressions.info/ is a good resource for anyone wanting to figure out this powerful technology. Also, if you do have some more complex needs, our support team is quite masterful in figuring out Regular Expressions for whatever you need to protect -- so feel free to submit a support request if you need help with this feature.

Back to the top

Technical Requirements

Because this feature utilizes your website's underlying webserver to protect files, there are some technical requirements that must be met in order for this feature to work properly. We've written MemberPress to work with the most common server configurations out there but if things aren't working fully for you, here are some things to check:

  1. Your website must be served by Apache, or an Apache compatible webserver like Litespeed. The rewrite rules that MemberPress installs are specific to Apache. If you're unsure what webserver you're using then it's probably Apache, but to be sure, you can contact your webhost. MemberPress does not support file protection on other webservers like nginx, IIS, or other non-Apache based servers. However, if your webserver is using nginx as a proxy (in front of Apache), you may be able to use the nginx proxy bypass code outlined in the Nginx section on this page.
  2. Your WordPress install should have sufficient privileges to make changes to your .htaccess file. If your .htaccess file is unwritable by WordPress then you can edit it manually by following our advanced rewrite instructions.
  3. Your WordPress install must have the ability to write files in your /wp-content/uploads folder. This is also a requirement for the WordPress Media Uploader to upload files so if that's working then this should be working as well.
  4. Cloudflare and other CDN's and caching have the potential of getting in the way of file protection. This is because they either cache the file so it can not be protected, or they interfere with our protection cookies and cause infinite redirect loops. Important note: because of this, if you are having issues with file protection, you should shut off any CDN and caching to see if that is a possible cause before contacting our support.

We've also seen users with custom rewrite rules that have interfered with the MemberPress rewrite rules. So if this feature doesn't seem to be working and you feel like you've gone through all of these steps, please contact our support team and we'll help.

Back to the top

Protect Additional File-Types

MemberPress can protect additional file-types. Keep in mind that each protect-able file-type http request will cause a second request to the site to check if the file is protected or not. For this reason we do not recommend protecting files like images (jpg, png, gif, etc) or scripts (css, js) or font files as it could cause significant load to your server. Use the following custom code in a plugin like My Custom Functions or Code Snippets to add additional filetypes. The code below adds "html" and "htm" filetypes to the list of protected files. Once adding this code, you'll also need to refresh your WordPress permalink settings to force WordPress to update the .htaccess file for your site.

function add_types_protectable($types, $rules) {
  $types[] = 'htm';
  $types[] = 'html';
  
  return $types;
}
add_filter('mepr_rewrite_rules_protect_types', 'add_types_protectable', 11, 2);

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article