You could check for a log-in cookie in your .htaccess, but that can be spoofed:
RewriteCond %{HTTP_COOKIE} ! wordpress_logged_in_.+= [NC]
RewriteRule \.pdf$ - [F,L]
You could check for a log-in cookie in your .htaccess, but that can be spoofed:
RewriteCond %{HTTP_COOKIE} ! wordpress_logged_in_.+= [NC]
RewriteRule \.pdf$ - [F,L]