Password Protect WordPress Attachments (files)

You might have some sections of your WordPress site that are only accessible for your WordPress user. Pretty easy to protect the page or post in WordPress for only the registered user but what about the attachments of the post/page (files, images)?

They won’t be protected by default, this means if a request is made directly to the file it can be accessed without any password. There is potentially the solution where you protect the files in a directory with htaccess password, but do you really want to manage new set of username and password outside or WordPress? Not really.

Here is the solution, use htaccess to check if a user is logged in the WordPress site when accessing the files area, if not then redirect to the WordPress login page. Here is the new .htaccess:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^.*uploads/.*
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule . /wp-login.php?redirect_to=%{REQUEST_URI} [R,L]

RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

We simply have protected the whole uploads area and redirect to login if the user is not logged. You can protect a different directory.

Thanks to this support forum thread for the heads up:


I strongly suggest the use of this plugin:

It let’s you set the name of the upload directory, so we can protect not the whole uploads. Because protecting the whole uploads will also

5 Responses


This worked really well for me, thanks! 🙂


This is great! However, I am on a Windows IIS server. Do you know if there is an equivalent way to do this with IIS? Thank you.


I just developed an easy way to protect images on a simpel praswordprotected page in wordpress. (a page which uses the inbuilt wordpress password protected page)

3 steps to do it:

1) Put a htaccess file in the folder which you want to protect. The folder which holds your image. Text:

deny from all

2) In wp-content/wp-includes/post-template.php find the function post_password_required –

at the end of the function just before return false add this piece of code:

$allow_ip.=”\n”.’allow from ‘.$ok_ip;

return false;

now access is allowed from the IP which has the password. In case of shared IP this might be a problem for you so:

3) Use javascript/jquery $(window).load and make an ajaxcall to a php program which sets

file_put_contents(WP_CONTENT_DIR.’/uploads/secretfolder/.htaccess’,’deny from all’) this happens after all pictures are loaded and will do for most situations

in case you have much trafic you might just remove actual IP from allowed ips in a similar manner.

It also goes well with a plugin like ft protect children pages (not mine)

Try also my new plugin jaip page style


+1 for this trick bro, well done!


This isn’t very secure.

How do you know the “^.*wordpress_logged_in.*$” cookie isn’t forged?

Leave Your Response

* Name, Email, Comment are Required