.htaccess to stop users downloading pdf doc or xls

Hi,

I am trying to achieve the following;

Stop users downloading files (pdf, doc, xls from wp-content unless they are logged into wordpress.

I have this in the wp-content folder inside .htaccess

<IfModule mod_rewrite.c>
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?729\.d38\.myftpupload\.com/ [NC]
RewriteCond %{REQUEST_FILENAME} \.(pdf|doc|xls)$ [NC]
RewriteRule . - [R=403,L]
</IfModule>

This is what I am trying to do.
Conditions to be met
1. If you are not logged into wordpress
2. If you referer is not my domain
3. If the requested file ends in .pdf .doc xls

Then give a 403

Else give the requested file

My result;
Page not found when logged in or not, it is like it is not seeing that I am logged in.

 Also in the root there is another .htaccess that contains;

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Any help would be appreciated

BW
LVL 4
bwilks99Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
You need to stop using direct links to the documents but rather use a plugin to provide data to logged in users.

It is not something that can be done via .htaccess without conflicting with other functionality.
I.e. Using allow,deny rules with require user. What this will do is have a user logged into wp also get prompted for credentials on access to documents.
0
bwilks99Author Commented:
Hi, And thanks for the help.

Since I posted I did more testing (different host) and this works with standard CPanel hosting  as desired. The %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC] way seams to very common way to do this.

RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteCond %{REQUEST_FILENAME} \.(pdf|doc|xls)$ [NC]
RewriteRule . - [R=403,L]

However I am sure you know more than I on this subject. Can you tell me the name of some plug-ins that would work?

Thanks

BW
0
arnoldCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

gheistCommented:
Delete documents...
0
bwilks99Author Commented:
Not sure what you mean "Delete documents..."?
0
arnoldCommented:
My interpretation of the suggestion is that it means remove the documents from where they are now since they can be accessed directly without login into WP.

It is not clear what your organization of data is so it is difficult to suggest alternatives that will get you to where you want to be.

Additional possible plug-in
https://wordpress.org/plugins/download-manager/

In short, you are looking for a Document manager that allows you to manage the access.

Trying to use this with .htaccess will necessitate the reliance on the webserver's authentication method rather than using a single WP signon/user manager.

Please look at the WP site for their available plugins and their description, and see whether a combination of several of them does what you are looking for.
0
bwilks99Author Commented:
Hi Arnold,

I agree with your suggestions, here is where I am at now.

I moved to standard cpanel (same host) .htaccess is providing a working solution.

RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteCond %{REQUEST_FILENAME} \.(pdf|doc|xls)$ [NC]
RewriteRule . - [R=403,L]

I should use a plug-in to manage file permissions but how to close the questions?
0
arnoldCommented:
Next to each comment, there  are two options to accept the comment as a solution or accept multiple solution.
If there are multiple comments that helped, you should select the multiple option on the comment with the others selected as assisting. Here you will have the option to assign a portion of the total points to each.

If only one comment helped, check select the accept that comment as a solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.