Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Make images private in Wordpress

I'm making a site, that I would like to make private. The most important part, is that the images on the domain can't be seen, without the user logging in first. So I would like all traffic to be redirected to www.DOMAINNAME.com/wp-admin (also for images), if the user isn't logged in.

Here's what I've tried:

1) Plugins. I've tried both Wordpress Force Login , the plugin wp-require-login and a Coming soon page and Maintenance mode.

2) Adding a function from this answer. Which is this:

function is_login_page() {
    return in_array( $GLOBALS['pagenow'], array( 'wp-login.php', 'wp-register.php' ) );
}

function wpse_make_blog_private() {
    if ( ! is_user_logged_in() && ! is_admin() && ! is_login_page() ) { 
    global $wp_query;
    $wp_query->set_404();
    }
}
add_action( 'wp', 'wpse_make_blog_private' );

Non of these things redirects the traffic, if I go to the direct URL for the image (such as http://www.DOMAINNAME.com/uploads/2015/10/foobar.jpg ).

Can that be done?

----------------- EDIT 1 --------------

Mevius pointed out, that Wordpress might not be loaded, if you type in the direct URL to an image, so he suggests, that it should be done on apache-level.

------------- END OF EDIT 1 -----------

like image 464
Zeth Avatar asked Oct 05 '15 18:10

Zeth


People also ask

What is private visibility on WordPress?

A WordPress private page and posts are not visible to the public. In other words, visitors can't see the content even if they know the URL. It is only available for authorized users who are logged in to the Dashboard. This might seem contradictory to WordPress' core function – content publication.

How do I make a WordPress post private?

Creating a Private Post or Private Page in WordPressOn the post edit screen, you need to click on the 'Edit' link next to the 'Visibility' option in 'Publish' meta box. You will now see options to make a post sticky, password protected, or private. Go ahead and select private and then click the OK button to continue.


1 Answers

You can make this as complicated or as simple as you want. The simplest is to check the referrer as suggested by Hemnath Mouli but that can spoofed easily.

However, if you want to go really deep... ;)

Use .htacess file with a RewriteRule to rewrite all images into a PHP script that bootstraps Wordpress and checks the user's authentication status. Also you should add an .htaccess file to your images folder to deny direct access to the folder to exclude edge cases.

WARNING: THIS CODE IS JUST PROOF OF CONCEPT TO GET YOU STARTED!!

.htaccess

RewriteRule ^(.*\.(jpg|gif|png))$ isAuthenticated.php?path=$1

isAuthenticated.php

require_once("wp-blog-header.php");

$allowedExtensions = array("jpg", "gif", "png");

$path = $_SERVER["DOCUMENT_ROOT"].DIRECTORY_SEPARATOR.$_REQUEST["path"];
$pathInfo = pathinfo($path);

// Check if the Wordpress user is logged in and if the file extension is allowed
// @see https://codex.wordpress.org/Function_Reference/is_user_logged_in
if (!is_user_logged_in() || !in_array($pathInfo["extension"], $allowedExtensions)) {
    header("HTTP/1.1 403 Forbidden");
    exit;
}

if(!file_exists($path)) {
    header("HTTP/1.1 404 Not Found");
    exit;
}

// Display the file and set the correct mimetype
$resource = finfo_open(FILEINFO_MIME_TYPE);
$mimetype = finfo_file($resource, $path);
finfo_close($resource);

header("Content-Type: ".$mimetype);
readfile($path);
like image 53
Ricardo Velhote Avatar answered Nov 15 '22 14:11

Ricardo Velhote