6.9 Understanding Rewrite Rules for File Protection

Created by Danny Wong, Modified on Sun, 09 Aug 2020 at 02:49 PM by Danny Wong

MemberPress uses some advanced Apache rewrite rules to protect files not controlled directly by WordPress.

Once your rewrite rules are setup properly a Custom URI rule in MemberPress should be able to protect any file types except:

php, phtml, jpg, jpeg, gif, css, png, js, ico, svg, woff, ttf and xml

These file types are excluded in order to avoid possible performance issues.

Here's how you can construct your rewrite rules on various web servers:

Apache & Litespeed

Most web hosts offering WordPress are running Apache as their web server. If you're running Apache and your apache user has write access to your document root (which is the most common configuration) then you shouldn't have to alter your rules at all ... MemberPress should be able to automatically place your rules properly.

However, if you do need to edit your Apache rewrite rules here is what you'll need to add after WordPress' rules:

# BEGIN MemberPress Rules
<IfModule mod_rewrite.c>

RewriteCond %{HTTP_COOKIE} mplk=([a-zA-Z0-9]+)
RewriteCond /var/www/somesite.com/wp-content/uploads/mepr/rules/%1 -f
RewriteRule ^(.*)$ - [L]

RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)
RewriteCond %{REQUEST_URI} \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8|ZIP|GZ|TAR|RAR|DOC|DOCX|XLS|XLSX|XLSM|PDF|MP4|M4V|MP3|TS|KEY|M3U8)$
RewriteRule . /wp-content/plugins/memberpress/lock.php [L]

</IfModule>
# END MemberPress Rules

Note: The code should be pasted directly under the # END WordPess line in the .htaccess file.
Note: You will need to make sure you replace /var/www/somesite.com/ with your actual docroot path.

Nginx

MemberPress does not officially support Nginx as a web-server. However, you may have luck getting your webhost support team to implement one of the following for you.

Nginx as an Apache Proxy

If your webhost uses Nginx as a proxy (in front of) for Apache:

location ~* \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8)$ {
  proxy_pass http://localhost:PORT_HERE;
}

Note: The PORT_HERE part will need to be changed, your host should know the correct port # for apache.

Nginx as a Standalone Webserver

If you're using only Nginx as the web-server, you might have success with the following location block in your Nginx configuration file:

        location ~* \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8)$ {
                # Setup lock variables
                set $mplk_uri "/wp-content/plugins/memberpress/lock.php";
                set $mplk_file "/var/www/html/wp-content/uploads/mepr/rules/${cookie_mplk}";

                # don't lock the lock uri
                if ($uri ~* "^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)") { break; }

                # redirect if the lock file's a dir or doesn't exist
                if (-d $mplk_file) { rewrite ^ $mplk_uri last; }
                if (!-e $mplk_file) { rewrite ^ $mplk_uri last; }
        }

Note: You would need to alter the /var/www/html/ portion of the path in the line below, to match the path to your wordpress installation folder

IIS and other web servers

Currently we don't have any supported rules for these web-servers.