skip to Main Content
How To Protect Image And File Uploads In WordPress

How to Protect Image and File Uploads in WordPress

The /uploads/ directory is WordPress stores files that you upload. This directory is almost always located at /wp-content/uploads/.

This means that anyone who wants to see all your complete media library can view it instantly going to example.com/wp-content/uploads/.

In most cases, this is not a problem. Most site owners want to make their images easily accessible, to visitors and search engines.

However, some site owners don’t want people snooping around in their media library. A good example is an UpStream user who is using the plugin to collaborate with clients. They may not want to allow clients to search for files related to other clients.

In this tutorial, I’ll give you some advice on how to protect your uploads.

Test your site

Before going any further, it’s worth taking a few moments to test your site.

Many hosting companies will automatically block access to /wp-content/uploads/ so this problem may already be solved.

Try visiting the uploads directory on your site.

If you get a message like this, then your uploads directory is already protected:

Forbidden

You don’t have permission to access /wp-content/uploads/ on this server.

The Protect uploads plugin

The Protect uploads plugin will prevent anyone from browsing around your media directory. This plugin will hide the folder contents by adding an index.php file on the root of your uploads directory or by setting an .htaccess file which will return a 403 error (Forbidden Access).

403 Forbidden for WordPress images

  • In your WordPress site, install the Protect uploads plugin.
  • Go to Media > Protect Uploads.
  • The plugin will tell you if your uploads directory is protected:

Your WordPress uploads are protected

  • If the directory isn’t protected, you’ll have the option to add an index.php file or an .htaccess file.

More Reading

It’s also worth protecting your Media Library against logged-in users who can see too much.

Click here to see what file types WordPress allows you to upload.

This Post Has 6 Comments
  1. Thanks for youm article.
    I’m looking for a Way to hide medias for not logged users.

    So if i type on my web browser : /wp-content/uploads/01/image.jpeg

    I want to dont see the picture if i’m not a connected user

    Thanks in advance.

  2. Although, I appreciate the article, it is recommending a plugin that has not been updated in a year. Meaning, it has not been tested with the current WordPress version. Please update your article to ensure folks do not install something that could break their site(s)..

    Thanks.

    1. Hi Adnonya. I take your point, but the warning on WordPress.org is a little overblown. Many of plugins with this warning still work perfectly. Caveat: please install all plugins on test site first.

  3. Hi,
    I tried this, but I misread the details. I was looking for a plugin which will forbid access to all the files in the uploads directory. Such as if someone goes directly to sitename.com/wp-content/uploads/2018/01/file.jpg, he will get an error.
    Is there way to achieve this kind of protection?
    Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *