We recently had to make some changes on a client’s WordPress site to include restricting public access to specific files in the WordPress media library. This included preventing Google (and the public) from being able to access or index any of these files as well as preventing non logged in users from seeing files embedded in posts/pages.
The site had mostly .pdf files that needed to be protected. But this could have easily included any file type, or a mix, depending on the particular sites needs.
By default WordPress’ media library is an open book meaning anyone can assess these files by simply visiting the url: domain.com/wp-content/uploads/
Solution
The Ultimate Member plugin (https://ultimatemember.com/) was already installed on the site at the build stage and was setup to have categories related to each specific building/property. Inside each page/post there is the option from Ultimate Member to associate the post with that particular category and also display it only to logged in users of that category. (Users set up an account and are approved by an admin and in doing so are associated to that particular property moving forward. They only see the files associate with their building/property). This separation is a good point to keep in mind for projects that require this granular control between users.
The plugin, Prevent Direct Access (https://preventdirectaccess.com/) is a paid plugin which was installed on the site to address the media library privacy issue. The plugin moves all of the protected files in the media library into a secure folder with the path of _pda. This prevents Google from indexing these files and also does not allow non-logged in users to have access.
The challenge was that Prevent Direct Access was installed after the site had its files intact so a change in url to approximately 900 files caused many broken links to appear. (urls changed from their default path of /wp-content/uploads/ to /wp-content/uploads/_pda/ )
Redirects were used to address much of the url path changes but some stray files required searching and manual repair. A timely process for both the client and our team members.
Important Steps To Take Before Building
When evaluating a site before the building stage the procedure moving forward is to please evaluate the content the website will be holding and consider whether or not there may be issues for the client if any of this information were to be displayed openly online.
As previously mentioned, installing plugins such as these after a site is built can cause multiple issues and depending on how many files need to be secured it can be very time consuming.
Summary
The valuable lesson learned from this project was the challenge of protecting these files. Moving forward it is to our advantage and the clients to evaluate the current project needs around content privacy and also ask your client about future use (requirements) so that we can put these plugins in place before uploading files.
If we ask these questions ahead of time and the needs of the site change after launch our team can address these new requirements with confidence and can explain to the client what is involved in adding this additional layer of privacy. But, assessing these needs ahead of time makes for a cleaner install, helps with conversations at a later date, and saves time for everyone.
Appendix
https://ultimatemember.com/