Click Wrap

Hello. Thank you for an excellent plug-in!

I am evaluating WordPress (and WordPress.com specifically) for a new site.

A key part of the spec is, I need to “click wrap” certain pages. That is, when a user visits those pages, the server checks for a cookie indicating the user has accepted terms of use, and if the cookie is not there, the visitor is redirected to a page where they can accept the terms; if they click accept, a cookie is placed, then they are brought to the content. Users who have already accepted can go straight to the content.

It’s important that no content from those pages hit the client computer until they accept terms.

I believe I can implement this with WordPress and the Redirection plugin, by redirecting users based on the ABSENCE of a cookie, and using regex to append the article name as a query parameter to the terms page (ie articles/foo redirects to accept_terms?return_to_article=foo). Does that sound correct?

I need to make sure malicious users can’t circumvent the redirect to access the content without accepting terms. Is that a reasonable assumption? Or was the plug-in not really designed with that requirement in mind, there are ways for a determined adversary to evade it? (I don’t know enough about WordPress internals to evaluate if and how it might be done, eg if there’s some way to spoof the server, or the plug-in depends on client JavaScript that can be disabled, etc.)

I also need to prevent users from directly accessing images used in the content without accepting terms. I have read on your site and on these forums that some WordPress servers serve files directly and therefore the plug-in cannot protect them. Is that true of WordPress.com? Would I need to self-host in order to configure the server to properly protect images?

Finally, I assume there’s no known issue combining this plugin with elementor? (A quick search of the forum did not turn anything up.)

Thank you very much!