Securing your Media in WordPress

Ever wondered how to secure your uploaded media in WordPress?

It may sound like a contradiction, but there are times when you upload content to your web-fronted Content Management System but do not want it to be publicly visible.

Business use cases for this scenario include;

  • legal services, where the content may be sensitive or covered by legislation such as GDPR
  • creative or artistic content, where you have to show your work but do not want anyone to steal it
  • members or subscribers only content, where you want to make the content visible to select or fee-paying subscribers

This article will address each of these scenarios and identify options for achieving the desired outcome. The choices I talk about are WordPress specific, but the context and principles are relevant to any technology.

When your business provides legal services and your CRM uses WordPress, it is vital to keep the documents (images, PDFs) hidden from general view.

If you do not take specific action to secure your data, it will be indexed by search engines and can be accessed via the directory of your website e.g. _www.example.com/wp-content/[$filename]_.

This means you are unlikely to comply with local data protection regulations e.g. GDPR in the EU. Not to mention being open to litigation from clients who find their data is open to the world!

There are two specific actions you can take to negate these issues. Each has different layers of complexity depending on what needs to be delivered.

Creative and Artistic Content

If your website is there to showcase your talent you do not want visitors to download it without permission.

Failure to protect your work can have the following consequences:

  • Loss of revenue – if you sell your art through your website, and it is not under your control, you are potentially losing revenue.
  • Intellectual property – your art is your intellectual property and should be protected against theft.

Private or Paid for Content

If you produce content and want to monetise it or only make it available to who you want, you need to ensure that it is only accessible to those who should have access.

So what can you do…?

Depending on your specific use case(s) three options available to you are:

robots.txt file

Adding a ‘robots.txt’ file to your website is a way of discouraging search engine crawlers (think leaf cutter ants, collecting info and returning with it to the hive) which URLs on your site they can access.

This is by no means foolproof and is not a guarantee of your content not appearing on search engine results.

Redirect

Adding redirect functionality to your website is a way of ensuring that direct access to your content, media files etc, is restricted to logged-in users.

In essence, it performs a check against content type and whether the browser trying to access it has an active session. If both conditions are not met, it redirects the browser to a specified URL (typically the home or login page).

This tends to be an “all or nothing” approach and does not differentiate between user roles. It also does not have any impact on search engine indexing.

Plugins

If you need a more robust solution, then there are plugins available for WordPress that will give you the following:

  • Media file protection
  • File type protection
  • Role-based access to media files
  • disable right-click functionality
  • Prevent hot-linking to your content
  • Enhanced redirects
  • Block search engine indexing of media files
  • Media file encryption
  • Manual or automated creation of private links so you can share media files, with timed expiry capability
  • Bulk protection functionality, if you have a lot of existing content you want to protect
  • Integration with other plugins to provide enhanced capability

Summary

Ensuring that your business is compliant with the relevant legislation and industry standards is critical to its continued success in building trust.