Protect media files Wordpress multisite

Question

I'm using a multisite with Wordpress as a private network using the Private Only plugin for this.
But the media files from my wp-content map are not protected and are indexed by Google, although I denied indexing.

I'm searching for a piece of code which redirects people who are not logged in when accessing media files through Google.

My domain structure is as follows:

https://intranet.website.com/subsite1/
https://intranet.website.com/subsite2/

I have tried the following piece of code in my .htaccess and it did work but it broke the images on my subsites.

RewriteCond %{HTTP_HOST} ^intranet\.website\.com 
RewriteCond %{SCRIPT_FILENAME} ^([_0-9a-zA-Z-]+/)?files/(.+) 
RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) - [L]

Current .htaccess:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^intranet\.website\.com$
RewriteRule /files/.+?\.(pdf|docx|xls|ppt)$ - [NC,F]

RewriteEngine On
RewriteRule ^index\.php$ - [L]

# uploaded files
RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]

# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]

# directory browsing
Options All -Indexes

Provide some samples of URLs you don't want to index in search results — anubhava, Dec 20 '13 at 19:16
https://intranet.website.com/subsite1/files/2013/10/2013-03-08-Bulletin.pdf — Merl, Dec 20 '13 at 19:18
but how it is different from your image URL. I mean how should rule distinguish a media URL vs an image URL? — anubhava, Dec 20 '13 at 19:23
Good question, that is my problem with the current code. Images on the website are not shown anymore. — Merl, Dec 20 '13 at 19:24
I only need to have the pdf/docx/xls/ppt files get redirected — Merl, Dec 20 '13 at 19:25

anubhava · Answer 1 · 2013-12-20T21:08:11.013

0

You can use this rule:

RewriteCond %{HTTP_HOST} ^intranet\.website\.com$
RewriteRule /files/.+?\.(pdf|docx|xls|ppt)$ - [NC,F]

Full .htaccess:

RewriteEngine On
RewriteBase /

RewriteRule (^|/)files/.+?\.(pdf|docx|xls|ppt)$ - [NC,F]

RewriteRule ^index\.php$ - [L]

# uploaded files
RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]

# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]

# directory browsing
Options All -Indexes

edited Dec 20 '13 at 21:08

answered Dec 20 '13 at 19:33

anubhava

761,203
64
569
643

This is working but it breaks the images on my website. For the images to work I added RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L] but then I do not get redirected anymore... you have suggestions? – Merl Dec 20 '13 at 19:47
My suggested rule cannot impact images since I have `\.(pdf|docx|xls|ppt)$` which won't match images. Can you tell me which image URL isn't working for you. – anubhava Dec 20 '13 at 20:01
I will post my complete htaccess for you down below in a second – Merl Dec 20 '13 at 20:09
added the current .htaccess to my question :) – Merl Dec 20 '13 at 20:14
ok can you try moving this new code just below `RewriteBase /` line – anubhava Dec 20 '13 at 20:18
Edited it, still able to access it through direct link by Google :( – Merl Dec 20 '13 at 20:22
But when i place a # before RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L] It is working, but then the images on the website are not working anymore – Merl Dec 20 '13 at 20:24
Do you .htaccess in `/files/` directory also? – anubhava Dec 20 '13 at 20:33
Wordpress uses the following map structure: wp-content/blogs.dir/subsites as 01 or 02 – Merl Dec 20 '13 at 20:38
Yes that is correct but can you check if `/files/` is a directory and if `/files/` dir has any .htaccess? – anubhava Dec 20 '13 at 20:43
I placed a .htaccess file in /wp-content/ in /wp-content/blogs.dir/ in /wp-content/blogs.dir/02/ and in /wp-content/blogs.dir/02/files/ but not working :( – Merl Dec 20 '13 at 20:49
ok one last update. I provided your full .htaccess try this in a new browser – anubhava Dec 20 '13 at 21:08
Hi thx!, it is working for alot of files but not for all files, I'm really confused now.. Some files give me a 403 even when i'm logged in.. – Merl Dec 20 '13 at 21:33
It will give 403 for `.(pdf|docx|xls|ppt)` file extension only. – anubhava Dec 20 '13 at 21:38
Yes but in my question i'm searching for a piece of code which redirects people who are not logged in when accessing media files through google. – Merl Dec 20 '13 at 21:55
Oh But rewrite rules cannot know if user is logged in our not. – anubhava Dec 21 '13 at 04:42

Protect media files Wordpress multisite

1 Answers1