Settings Reference

Media Protection Settings

6 min read Updated Mar 30, 2026

Protect your WordPress media library files from unauthorized access and hotlinking. Access these settings from Downloads > Settings > Media Protection.

Overview

Media Protection adds an extra layer of security to files in your WordPress media library, preventing:

  • Direct file URL access
  • Hotlinking from external sites
  • Unauthorized downloads
  • Search engine indexing of files

Server Information

This section displays your server’s readiness for different protection methods.

Indicators you may see:

  • Private dir exists – A private directory has been created successfully.
  • Private dir writable – The directory has proper write permissions.
  • Outside webroot – The directory is located outside the public web directory for maximum security.
  • .htaccess exists – The .htaccess file is present.
  • .htaccess writable – The file can be modified by the plugin.
  • mod_rewrite – Indicates whether Apache’s rewrite module is available.

These checks help determine which protection methods are supported on your server.Protection Modes

Protection Method

Choose how protected media files are delivered to authorized users. There are three available options:

Method Performance Security Compatibility
PHP Proxy Medium High Universal
.htaccess Rewrite High High Apache only
Private Storage High Maximum Requires setup

1. PHP Proxy (Universal)

  • Files are served through PHP.
  • Works on all server environments.
  • Easier to set up but may be slower for large files.

Best for: Compatibility across all hosting environments.

2. .htaccess Rewrite Rules (Recommended)

  • Uses Apache’s mod_rewrite to redirect protected files.
  • More efficient than PHP-based delivery.
  • Requires Apache server with rewrite support.

Best for: Most users on Apache servers who want better performance.

3. Private Storage

  • Moves files to a private directory outside the web root.
  • Provides the highest level of security.
  • Requires additional storage management.

Best for: Maximum security and sensitive media files.

Private Storage Configuration

This section appears when Private Storage is selected.

Custom Storage Path (Optional)

  • Specify a custom directory for storing protected files.
  • Must be an absolute path.
  • Directory must be writable and located outside the web root.

Tip: Leave empty to use the automatically detected default location.

Current Storage Location

Displays the directory currently used for private storage. Example:

/home/your-site/public_html/wpdm-private-media/

Security Level

  • Indicates the current protection level.
  • Maximum (Outside Web Root) ensures files are not directly accessible via URL.

Private Storage Status

Provides an overview of your private storage usage:

  • Files in Private Storage – Number of protected files stored.
  • Total Size – Combined size of stored files.
  • Storage Path – The directory where files are stored.

Protection Mode

No Protection

Files are accessible via direct URL (WordPress default behavior).

Use when:

  • Files are meant to be public
  • SEO indexing of files is desired
  • Maximum compatibility is needed

Basic Protection

Adds referrer checking and basic access control.

Feature Description
Referrer Check Verify request comes from your site
Login Required Require user login for access
Direct Link Block Block direct URL access

Advanced Protection

Full protection with multiple security layers.

Feature Description
Signed URLs Time-limited, signed download links
IP Validation Lock downloads to requesting IP
User Agent Check Verify legitimate browsers
Rate Limiting Limit downloads per user/IP

Protection Settings

In addition to global settings, you can apply protection to specific media files.

How to Apply Protection

  1. Go to the Media Library.
  2. Select the file you want to protect.
  3. Configure protection options (Password / Allow Access).
  4. Click Apply Protection.

Once applied, the file will follow the selected access rules.

Password Protection

  • Restrict access using a password.
  • Only users with the correct password can access the file.

Use case: Sharing files with specific people without creating user accounts.

Allow Access

  • Limit access based on user roles (e.g., Subscriber, Editor, Admin).
  • Only logged-in users with allowed roles can access the file.

Use case: Membership sites or restricted content areas.

Directory Protection

Setting Description Default
Uploads Directory Protect wp-content/uploads Enabled
WPDM Directory Protect wpdm-files directory Enabled
Custom Directories Add additional directories None

Hotlink Protection

Prevent other websites from embedding your files.

Allowed Referrers

Referrer Description
Own Domain Your website (automatic)
Subdomains Include subdomains
CDN Domains Your CDN URLs
Custom Domains Manually added domains

Hotlink Response

Response Description
403 Forbidden Return forbidden error
404 Not Found Pretend file doesn’t exist
Redirect Redirect to custom page
Placeholder Serve placeholder image

Access Control

User Based Protection

Setting Description
Require Login User must be logged in
Allowed Roles Roles that can access
Deny Roles Roles that are blocked
Guest Access Allow non-logged users

Time Based Access

Setting Description
Link Expiration How long links are valid
Access Window Time range for access
Max Downloads Downloads per link

Server Configuration

Apache (.htaccess)

WPDM can automatically add protection rules to .htaccess:

# WPDM Media Protection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www.)?yoursite.com [NC]
RewriteRule .(pdf|zip|mp3|mp4)$ - [F,L]
</IfModule>

Nginx

For Nginx servers, add to your configuration:

# WPDM Media Protection
location ~* .(pdf|zip|mp3|mp4)$ {
    valid_referers none blocked yoursite.com *.yoursite.com;
    if ($invalid_referer) {
        return 403;
    }
}

LiteSpeed

Similar to Apache, uses .htaccess rules automatically.

Security Headers

Additional security headers for protected files:

Header Purpose
X-Content-Type-Options Prevent MIME sniffing
X-Frame-Options Prevent embedding
Content-Disposition Force download
Cache-Control Control caching

Logging & Monitoring

Access Log

Track who accesses protected files:

Field Description
Timestamp When accessed
File File that was accessed
User User ID if logged in
IP Address Requesting IP
Referrer Where request came from
Status Allow/Block/Error

Security Alerts

Alert Trigger
High Violation Rate Many blocked attempts
New IP Pattern Unusual access patterns
Failed Auth Multiple failed logins
Unusual Activity Anomaly detection

Performance Considerations

Caching

Setting Description Impact
Cache Rules Cache protection decisions Faster
Cache Duration How long to cache Memory
Bypass Cache Skip for logged users Accuracy

CDN Compatibility

CDN Configuration
Cloudflare Bypass cache for protected files
AWS CloudFront Use signed URLs
BunnyCDN Token authentication
KeyCDN Referrer restrictions

Troubleshooting

Common Issues

Legitimate Users Blocked:

  • Check referrer settings
  • Allow empty referrer
  • Verify allowed domains

Files Still Accessible:

  • Clear server cache
  • Verify .htaccess rules
  • Check file type settings

Slow Downloads:

  • Enable caching
  • Check server resources
  • Optimize protection rules

Debug Mode

Enable to troubleshoot issues:

  • Enable Debug Mode
  • Access a protected file
  • Check debug log
  • Review decision flow

Tips

  • Start with basic protection, upgrade as needed
  • Always allow your own domain as referrer
  • Enable empty referrer to avoid false blocks
  • Test thoroughly after enabling protection
  • Monitor logs for unusual patterns
  • Keep server configuration updated
  • Use PHP Proxy if other methods are not supported.
  • Use .htaccess Rewrite Rules if your server supports Apache with mod_rewrite.

Related Documentation