Media access

  • Resolved sjlae50

    (@sjlae50)


    4 years, 9 months ago

    Dear all
    Did I understand it correctly that direct media file access can’t be blocked with this plugin?
    We have an internal area for logged in users and offer sever file downloads. If a not logged in user has a direct link to a document only accessible in the internal area, currently is able to open that file.
    We had the same for simple pages in the internal area. For that, your plugin works brilliant and blocks direct URL acess to internal sites for not logged in users or users with unauthorized role.
    Do you have an idea how we can block direct URL media file access?
    Thank you.
    Best wishes,
    Silvan St?heli

Viewing 1 replies (of 1 total)
  • Plugin Author Daniel Iser

    (@danieliser)

    @sjlae50 – Sorry for the delay. That is correct at this time. We are exploring options, but nearly all (on modern hosts) require manually tweaking server configs (outside of WP).

    The reason is modern hosts don’t send requests for files through WordPress as its inneficient. For page speed sake they load directly from disk when possible.

    So the only way to block in those cases is to do it via Nginx config or Apache .htaccess changes.

    We are exploring another option where we force those images to load using a dynamic url so that the raw url is never exposed.

    Even then if they get access to the raw file url they could still access it without modifying server config.

    That said if you have file/folder/xyz.png but never mention it outside of a page where you have to be authenticated to see it, then it should be safe by occlusion.

    You could probably contact your host and ask about password protecting those directories, but that isn’t ideal either. The solution needs to authenticate using WordPress which means going through PHP (dynamic url method).

    Honestly, no great answers here. Even the dynamic url method has a performance penalty built in, now every image request hits the servers PHP processes, 20 images + page html makes a lot of extra PHP requests unfortunately.

    We won’t build a solution that sucks, so until we work out a way we can make this work for nearly everyone we will just do our best to let users know it doesn’t protect those things.

    Hope that helps.

    • This reply was modified 4 years, 8 months ago by Daniel Iser.
Viewing 1 replies (of 1 total)
  • The topic ‘Media access’ is closed to new replies.