Using “wordpress_logged_in” to restrict direct access to uploads folder in 2021

Check to see if a person is logged in:

<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_FILENAME} (.*)
    RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_([a-zA-Z0-9_]*) [NC]
    RewriteRule .* - [F,L]
</IfModule>

The same applies as it did 10 years ago. This code in .htaccess doesn’t have anything to do with how WordPress might be setting cookies. And this does not “check to see if a person is logged in”. It simply checks that a string that matches the regex wordpress_logged_in_([a-zA-Z0-9_]*) does not appear anywhere in the Cookie header. The “problem” here is that anyone can create a request that passes a value in the Cookie header that passes your test. Since it is well known that WP sets such a cookie then it is not difficult to guess.

The only way to check that the request is “logged in” to WordPress is to use PHP.

Aside: The first RewriteCond directive that checks against REQUEST_FILENAME is superfluous since it simply checks against anything. The NC flag on the second condition should not be used in such checks, since you are now unnecessarily increasing the range of strings that would pass the test (eg. wOrDpReSs_LoGgEd_In_ would pass). Consequently, including A-Z in the hash portion is unnecessarily – the hash is always lowercase (and always 32 chars long AFAIK). The L flag is not required when used with the F flag (it is implied) and the regex .* will block all requests if that cookie does not exist, not just access to the WordPress uploads folder. You should also avoid using the <IfModule mod_rewrite.c> wrapper for anything security related, since a “failure” in your server config (ie. mod_rewrite being erroneously disabled) would allow unrestricted access, instead of breaking with an error (which would be preferable).

So, the above should be written like this:

RewriteCond %{HTTP_COOKIE} !(?:^|;\s)wordpress_logged_in_[a-z0-9_]{32}=
RewriteRule ^wp-content/uploads/ - [F]

The regex (?:^|;\s)wordpress_logged_in_[a-z0-9_]{32}= specifically checks for that cookie name (more specific), rather than a string that occurs anywhere in the Cookie header (too general).

(Although, to clarify, this is really no more “secure” than the original code snippet.)

Related Posts:

  1. Improve wordpress security by hiding non public resources
  2. Does this .htaccess security setting really work?
  3. File and directory permissions
  4. WordPress URL/Folder ReWrite using Htaccess
  5. Which WordPress scripts need to be executable for a fresh installation?
  6. Blocking access to wp-login via htaccess not working
  7. Attach to wp-login.php and xmlrpc.php
  8. XMLRPC filtering through htaccess not working
  9. Restricting user login by IP address
  10. WordPress: Adding Security
  11. How do I test to ensure that my wp-config file is protected?
  12. WordPress not seeing .htaccess rules
  13. Rules in .htaccess only if the requested URL is /wp-admin
  14. Disable directory browsing of uploads folder
  15. Strange behaviour of is_user_logged_in() and get_current_user_id()
  16. Selectively Disabling PHP via .htaccess in Root Directory
  17. Should I prevent access to .htaccess and wp-config.php files?
  18. Blocking wp-login in HTACCESS has also blocked password protected pages
  19. Basic Auth .htaccess on wp-login, but allow logout from woocommerce
  20. Using htaccess to prevent spam through wp-comments-post.php
  21. How can I create a private site that is inaccessible from the outside?
  22. Restrict Content for only Contributors via .htaccess
  23. Allowing access to certain WordPress created pages or posts with htaccess / htpasswd
  24. How to redirect all HTTP requests to HTTPS
  25. Which one does WordPress prioritize when it comes to php.ini, wp-config and .htaccess?
  26. Security and .htaccess
  27. htaccess problem after saving Settings
  28. htaccess https redirect from www to non-www
  29. Name-based virtual host configuration in Apache seems to cause a “500 Internal Server Error”
  30. Isolating WordPress to a subfolder
  31. How disable SSL redirect for specific URL?
  32. How to change “wp-admin” to something else without search-replacing the core?
  33. Error:406 not acceptable
  34. What is the role of .htaccess file in WordPress?
  35. How can I code my plugin to safely modify .htaccess?
  36. Prevent users from browsing through the media galleries
  37. How to modify the .htaccess to force ssl on login and admin pages
  38. HTAccess stops me from accessing WordPress Dashboard links
  39. Exclude subfolder from WP-redirect works with html but not php files
  40. .htaccess rewrite rule puzzle
  41. Allow logged in users who doesn’t belong to whitelisted ips
  42. Best way to redirect site in subdirectory to root?
  43. Only expose routes with prefix /wp-json on WordPress using Apache
  44. Missing slash after moving site to subfolder
  45. WildCard SSL with wordpress subdomain
  46. Hardening wordpress: blocking /includes with htaccess
  47. htaccess – RewriteRule without redirect not working
  48. browser caching not disabled after disabling in .htaccess
  49. Restrict uploaded files into a custom folder to logged in users by htaccess: looking for Nginx – not only Apache – solution
  50. Transfer to HTTPS – mixed content on main page only [closed]
  51. Htaccess redirect after changing Language URL format
  52. Adding a SSL Certificate
  53. .htaccess Security Header Rules
  54. mod_rewrite loop, redirecting http to https on certain section of wordpress blog
  55. .htaccess in subdir gets ignored by WordPress’ own .htaccess in /
  56. blocking access to all post/tag URIs via htaccess
  57. What to write in the htaccess in order to detect browser language and point accordingly?
  58. sitemap contains weird links and does not contain my pages [closed]
  59. how to redirect 301 my old search query string to wordpress search query string?
  60. Allow REST API over HTTP, the rest of the site forced to HTTPS
  61. .htaccess RewriteCond excluding directories does not work when there is an .htaccess or php.ini in subdirectory
  62. Separate 404 page for WordPress in subfolder
  63. Weird behavior of Dashboard, must be core files
  64. 404 error Additionally 403 Forbidden error on a URL
  65. Remove trailing slash after .html extension
  66. Does WP suppresses .htaccess if permalinks are disabled?
  67. I have a page using a pretty url and a mod_rewrite rule matching it. I expected it to give an error but it’s working. Why?
  68. How do I setup htaccess for 301 redirects, post Joomla to WordPress migration? [closed]
  69. Hide a subdirectory on my website hosting
  70. Can’t access WP site over WiFi network
  71. Creating a copy of a website in a subdirectory, wp-admin redirect problem
  72. Troll the hackers by redirecting them
  73. I am new in word pres my font awesome is not allow
  74. htaccess redirect throws an error: PHP Catchable fatal error: Object of class WP_Error could not be converted to string
  75. WordPress permalinks confusion
  76. How do I reset a rewrite?
  77. Why my WordPress Site Asking for HTTP Authentication?
  78. htaccess redirects invalid request to home page not 404
  79. Deny php execution in /wp-includes – using .htaccess in /wp-includes VS root folder
  80. WordPress How to rewrite URL for custom pages
  81. How to properly give WordPress its own directory
  82. WordPress permalinks is wrong. It wants me to change my htaccess file. But then site crashes
  83. How to move wordpress website from hosting account to localhost
  84. Question with .htaccess and wp-login.php prevention
  85. After changing permalink, getting 404 for one particular category
  86. WordPress RSS feed to external XML
  87. Does htaccess password keep search engines out?
  88. htaccess old php pages to new wordpress ones
  89. htaccess mod_rewrite not working
  90. different CNAME to corresponding subfolders
  91. block seacrh engines for all pages EXCEPT homepage
  92. Giving WordPress it’s own directory and using .htaccess Directory Index
  93. Restrict download files from not generated Urls
  94. My WP site and password was hacked, what to do? [closed]
  95. htaccess – Server Subdirectory With Different Name Than URL Subdirectory
  96. WordPress sections in htaccess kills FrontPage permissions
  97. Enable webp support Nginx+Apache reverse proxy with moss.sh [closed]
  98. WordPress redirection
  99. Home page returns 404
  100. Browser Caching .htaccess