Redirecting web pages
You can save yourself adding code to all templates in your theme by hooking this in instead.
function wpse299924_redirect() {
if( !is_user_logged_in() ) {
wp_redirect( wp_login_url() );
die;
}
}
add_action( 'template_redirect', 'wpse299924_redirect' );
You’re right that your images and other media will still be accessible to anyone who knows the URL, but this will redirect all pages to the login page for users who aren’t logged in.
Redirecting media
WordPress permalinks (on the Apache web server) rely on Apache settings, usually in a site’s .htaccess file, to redirect all URLs to the main WordPress index.php file which then processes them into the WP query that returns the web page you’re after. Doing this for any images would be wasteful and so there are two .htaccess lines that specifically bypass WP if the requested file or directory exists:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
If the requested filename or directory exists as a real file (or directory) for your site then Apache serves it directly without running WP at all.
You could remove these lines (using the mod_rewrite_rules
filter) to force WP to handle media URLs for you, but you would then need to code up suitable permalink rewrite patterns and return the appropriate image file yourself after checking a user is logged in.