The /uploads/ directory is WordPress stores files that you upload. This directory is almost always located at /wp-content/uploads/.
This means that anyone who wants to see all your complete media library can view it instantly going to example.com/wp-content/uploads/.
In most cases, this is not a problem. Most site owners want to make their images easily accessible, to visitors and search engines.
However, some site owners don’t want people snooping around in their media library. A good example is an UpStream user who is using the plugin to collaborate with clients. They may not want to allow clients to search for files related to other clients.
In this tutorial, I’ll give you some advice on how to protect your uploads.
Test your site
Before going any further, it’s worth taking a few moments to test your site.
Many hosting companies will automatically block access to /wp-content/uploads/ so this problem may already be solved.
Try visiting the uploads directory on your site.
If you get a message like this, then your uploads directory is already protected:
Forbidden
You don’t have permission to access /wp-content/uploads/ on this server.
The Protect uploads plugin
The Protect uploads plugin will prevent anyone from browsing around your media directory. This plugin will hide the folder contents by adding an index.php file on the root of your uploads directory or by setting an .htaccess file which will return a 403 error (Forbidden Access).
- In your WordPress site, install the Protect uploads plugin.
- Go to Media > Protect Uploads.
- The plugin will tell you if your uploads directory is protected:
- If the directory isn’t protected, you’ll have the option to add an index.php file or an .htaccess file.
More Reading
It’s also worth protecting your Media Library against logged-in users who can see too much.
Click here to see what file types WordPress allows you to upload.