Skip to content
Read For Learn
Read For Learn
  • Database
    • Oracle
    • SQL
  • C
  • C++
  • Java
  • Java Script
  • jQuery
  • PHP
Read For Learn
  • Database
    • Oracle
    • SQL
  • C
  • C++
  • Java
  • Java Script
  • jQuery
  • PHP

Block Logged-Out User Access to Directory Outside of WordPress using .htaccess and PHP file

I like your solution checking the coockie from the .htaccess this will give a much quicker loading solution then my solution.

.htaccess

<IfModule mod_rewrite.c> 
  RewriteEngine On
  # Rules to prevent php execution in uploads  
  RewriteRule ^(.*)/uploads/(.*).php(.?) - [F]  

  #redirect all FILES for login check (excluding PHP)  
  RewriteCond !^(.*)/uploads/([0-9]+/.*)\.php(.?)$ - [NC]  
  RewriteRule ^(.*)/uploads/([0-9]+/.*)\.* /wordpress/file.php?img=$2 [L]
</IfModule>

file.php

<?php
// load wordpress
require_once('wp-load.php');

if( is_user_logged_in() ):
    $file =  ABSPATH.'/wp-content/uploads/'.$_GET['img'];
    if (file_exists($file)) 
    {
        $ftype="application/octet-stream"; 
        $finfo = @new finfo(FILEINFO_MIME); 
        $fres = @$finfo->file($file); 
        if (is_string($fres) && !empty($fres)) { 
           $ftype = $fres; 
        } 
        header('Content-Type: ' . $ftype);
        header('Content-Length: '.filesize($file));
        header('Content-Disposition: filename=".basename($file));
        send_nosniff_header();
        flush();
        readfile($file);
    }
    else
    {
        global $wp_query;
        $wp_query->set_404();
        status_header(404);
        include( get_query_template( "404' ) );
    }
else:  
    auth_redirect();
endif;
die();
?>

Related Posts:

  1. After moving WordPress to its own directory, login doesn’t work
  2. 2 wordpress blogs with 1 users table and 1 login
  3. How to edit .htaccess to change site’s login url?
  4. deny IPs from wp-login using .htaccess
  5. wp-admin redirects to subdirectory after moving installation to subdirectory
  6. How to secure files based on format and word in file name with wp-config or htaccess?
  7. Removing wordpress cookie from non-wordpress site
  8. How do I limit access to wp-admin to an IP range?
  9. Redirect after login when WordPress in subdirectory
  10. Unable to login my subdirectory WordPress site
  11. In Django, how do I know the currently logged-in user?
  12. Can I programmatically login a user without a password?
  13. Cannot access non-wordpress subdirectories as wordpress overrides them with a 404 error
  14. Can’t log in: “ERROR: Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.”
  15. Is there any way to rename or hide wp-login.php?
  16. How to login with email only no username?
  17. How can I redirect user after entering wrong password?
  18. Moving a WP Multisite to a subdirectory
  19. Increase of failed login attempts, brute force attacks? [closed]
  20. Login page ERROR: Cookies are blocked due to unexpected output
  21. Separate registration and login for different roles
  22. SSO / authentication integration with external ‘directory service’
  23. Preventing session timeout
  24. How reduce wordpress login session timeout time?
  25. How to prefill WordPress registration with social details
  26. Check for correct username on custom login form
  27. Disallow user from editing their own profile information
  28. I can’t access my site via wp-admin
  29. ‘Password field is empty’ error when using autofill in Chrome
  30. Removing username from the ‘wordpress_logged_in’ cookie
  31. How to show ‘login error’ and ‘lost password’ on my template page?
  32. What is $interim_login?
  33. Custom login form
  34. How to prefill the username/password fields on the login page
  35. wp_signon returns user, but the user is not logged in
  36. Adding extra authentication field in login page
  37. Prevent wp_login_form() from redirecting to wp-admin when there are errors
  38. Redirect user using the ‘wp_login_failed’ action hook if the error is ’empty_username’ or ’empty_password’
  39. wp_signon() does not authenticate user guidance needed
  40. What exactly is ReAuth?
  41. What are the differences between wp_users and wp_usermeta tables?
  42. Login members using web services
  43. Make my wordpress blog remember my login “forever”
  44. How to check in timber if user is loggedin?
  45. How do I change the language of only the login page?
  46. Disable WordPress 3.6 idle logout / login modal window / session expiration
  47. Stop WordPress from logging me out (need to keep me logged in)
  48. Woocommerce registration page [closed]
  49. How to disable autocomplete on the wp-login.php page
  50. Share login data/cookies between multiple installations
  51. Synchronize WordPress user accounts across multiple domains and installations without using WordPress MU
  52. How to pass users back and forth using session data?
  53. How do I change the logo on the login page?
  54. Move WordPress to subdirectory, keep ALL URLs
  55. Why does WordPress hide the reset password key from the URL?
  56. Is it possible to sign in with user_email in WordPress?
  57. How to use current_user_can()?
  58. Avoid to load default WP styles in login screen
  59. WordPress registration message
  60. How to fake a WordPress login?
  61. File and directory permissions
  62. how to display the wordpress login and register forms on a page?
  63. Does wp_logout_url() destroy a session? (Logging out question)
  64. How can I send a welcome email to a user AFTER they login for the first time?
  65. Can not login with correct username and password
  66. Website Visible only to Registered users
  67. Non-WordPress page in subdirectory under WordPress page
  68. How can i increase the login expiration length?
  69. How do I use add_action from a class method?
  70. How to remove the WordPress logo from login and register page?
  71. How can I add a custom script to footer of login page?
  72. Brute force attack?
  73. Customize wp_new_user_notification_email()
  74. Need to execute a cron job
  75. Permalink Issues by Installing WordPress in Subdirectory / Subfolder
  76. Login email after registration never sent or received
  77. How can I create a separate blog that is private?
  78. How to keep always logged in development environment
  79. Add Confirm Password field in wp-login.php Password Reset page
  80. WordPress .htaccess subdirectory problem
  81. Integrate recaptcha and wp_signon – what is needed?
  82. Stop users from logging in from multiple locations
  83. Place static HTML files in path below WordPress page
  84. Site redirects to wrong url when saving settings
  85. I want to disable E-Mail verifcation / activation when a user signs up for my WordPress site
  86. custom login page redirect to logged in user profile page
  87. Email address or username used to login in wordpress
  88. How do I check if a post is private?
  89. Front-end login: Redirect user to the post they had created
  90. Receiving “This content cannot be displayed in a frame” error on login page
  91. My login form does not work
  92. Programmatically log in a wordpress user
  93. Action wp_login_failed not working if only one field is filled out
  94. Getting “Cookies are blocked or not supported by your browser” on login page
  95. What is the purpose of logging out after WordPress upgrade?
  96. Is it alright for two people to simultaneously be logged into a WP site as administrator?
  97. wp-login.php redirecting to HTTPS
  98. .htaccess for wordpress inside another wordpress install
  99. WordPress in sub directory wp-admin problem
  100. Display last login time
Categories login Tags .htaccess, directory, login
How to add country drop down menu to the user profile?
Can wordpress differentiate between added and updated posts?

Recommended Hostings

Cloudways: Realize Your Website's Potential With Flexible & Affordable Hosting. 24/7/365 Support, Managed Security, Automated Backups, and 24/7 Real-time Monitoring.

FastComet: Fast SSD Hosting, Free Migration, Hack-Free Security, 24/7 Super Fast Support, 45 Day Money Back Guarantee.

Recent Added Topics

  • Bug in translation system: load_theme_textdomain() returns true, files are available and accessible but the language defaults to english
  • Custom Elementor controls not appearing in the widget Advanced tab using injection hooks
  • Get the name of the template/*html file used
  • Trying to Add Paging to Single Post Page
  • Sharing media files between live and staging servers
  • How to display the description of a custom post type in the dashboard?
  • Critical error on image display
  • Copying WP data and files into new install?
  • How to determine the DirectAdmin WordPress backup date?
  • How to get list of ALL tables in the database?
© 2026 Read For Learn
  • Database
    • Oracle
    • SQL
  • algorithm
  • asp.net
  • assembly
  • binary
  • c#
  • Git
  • hex
  • HTML
  • iOS
  • language angnostic
  • math
  • matlab
  • Tips & Trick
  • Tools
  • windows
  • C
  • C++
  • Java
  • javascript
  • Python
  • R
  • Java Script
  • jQuery
  • PHP
  • WordPress