Docs / Settings Reference / Media Protection Settings
Get Help

Media Protection Settings

Updated Jan 26, 2026 Settings Reference

Protect your WordPress media library files from unauthorized access and hotlinking. Access these settings from Downloads > Settings > Media Protection.

Overview

Media Protection adds an extra layer of security to files in your WordPress media library, preventing:

  • Direct file URL access
  • Hotlinking from external sites
  • Unauthorized downloads
  • Search engine indexing of files

    • Protection Modes

    No Protection

    Files are accessible via direct URL (WordPress default behavior).

    Use when:

  • Files are meant to be public
  • SEO indexing of files is desired
  • Maximum compatibility is needed

    • Basic Protection

    Adds referrer checking and basic access control.

    Feature Description
    Referrer Check Verify request comes from your site
    Login Required Require user login for access
    Direct Link Block Block direct URL access

    Advanced Protection

    Full protection with multiple security layers.

    Feature Description
    Signed URLs Time-limited, signed download links
    IP Validation Lock downloads to requesting IP
    User Agent Check Verify legitimate browsers
    Rate Limiting Limit downloads per user/IP

    Protection Settings

    File Types

    Select which file types to protect:

    Category Extensions
    Documents pdf, doc, docx, xls, xlsx, ppt, pptx
    Archives zip, rar, 7z, tar, gz
    Media mp3, mp4, avi, mov, wav
    Images jpg, png, gif, webp
    Custom Specify custom extensions

    Directory Protection

    Setting Description Default
    Uploads Directory Protect wp-content/uploads Enabled
    WPDM Directory Protect wpdm-files directory Enabled
    Custom Directories Add additional directories None

    Hotlink Protection

    Prevent other websites from embedding your files.

    Allowed Referrers

    Referrer Description
    Own Domain Your website (automatic)
    Subdomains Include subdomains
    CDN Domains Your CDN URLs
    Custom Domains Manually added domains

    Hotlink Response

    Response Description
    403 Forbidden Return forbidden error
    404 Not Found Pretend file doesn’t exist
    Redirect Redirect to custom page
    Placeholder Serve placeholder image

    Hotlink Settings

    Setting Description Default
    Enable Hotlink Protection Turn on/off Enabled
    Allow Empty Referrer Allow direct browser access Enabled
    Log Violations Record blocked attempts Enabled
    Block Search Engines Block Googlebot, etc. Disabled

    Access Control

    User-Based Protection

    Setting Description
    Require Login User must be logged in
    Allowed Roles Roles that can access
    Deny Roles Roles that are blocked
    Guest Access Allow non-logged users

    Time-Based Access

    Setting Description
    Link Expiration How long links are valid
    Access Window Time range for access
    Max Downloads Downloads per link

    Server Configuration

    Apache (.htaccess)

    WPDM can automatically add protection rules to .htaccess:

    # WPDM Media Protection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www.)?yoursite.com [NC]
RewriteRule .(pdf|zip|mp3|mp4)$ - [F,L]
</IfModule>

    Nginx

    For Nginx servers, add to your configuration:

    # WPDM Media Protection
location ~* .(pdf|zip|mp3|mp4)$ {
    valid_referers none blocked yoursite.com *.yoursite.com;
    if ($invalid_referer) {
        return 403;
    }
}

    LiteSpeed

    Similar to Apache, uses .htaccess rules automatically.

    Security Headers

    Additional security headers for protected files:

    Header Purpose
    X-Content-Type-Options Prevent MIME sniffing
    X-Frame-Options Prevent embedding
    Content-Disposition Force download
    Cache-Control Control caching

    Logging & Monitoring

    Access Log

    Track who accesses protected files:

    Field Description
    Timestamp When accessed
    File File that was accessed
    User User ID if logged in
    IP Address Requesting IP
    Referrer Where request came from
    Status Allow/Block/Error

    Security Alerts

    Alert Trigger
    High Violation Rate Many blocked attempts
    New IP Pattern Unusual access patterns
    Failed Auth Multiple failed logins
    Unusual Activity Anomaly detection

    Performance Considerations

    Caching

    Setting Description Impact
    Cache Rules Cache protection decisions Faster
    Cache Duration How long to cache Memory
    Bypass Cache Skip for logged users Accuracy

    CDN Compatibility

    CDN Configuration
    Cloudflare Bypass cache for protected files
    AWS CloudFront Use signed URLs
    BunnyCDN Token authentication
    KeyCDN Referrer restrictions

    Troubleshooting

    Common Issues

    “Legitimate Users Blocked”

  • Check referrer settings
  • Allow empty referrer
  • Verify allowed domains

    • “Files Still Accessible”

  • Clear server cache
  • Verify .htaccess rules
  • Check file type settings

    • “Slow Downloads”

  • Enable caching
  • Check server resources
  • Optimize protection rules

    • Debug Mode

    Enable to troubleshoot issues:

  • Enable Debug Mode
  • Access a protected file
  • Check debug log
  • Review decision flow

    • Tips

  • Start with basic protection, upgrade as needed
  • Always allow your own domain as referrer
  • Enable empty referrer to avoid false blocks
  • Test thoroughly after enabling protection
  • Monitor logs for unusual patterns
  • Keep server configuration updated

    • Related Documentation

  • Download Protection
  • Access Control
  • Troubleshooting
    • Last updated on January 26, 2026

    Need Help?

    Get support from our team or community forum.

    Visit Support

    Customization

    Need custom features? We can help.

    Request Quote