How to Protect Your Media Files on WordPress Multisite

Protecting your WordPress files is a breeze with our “Prevent Direct Access” plugin no matter how many files you have or whether they are PDF, ZIP or Video files.

It’s slightly more complicated when it comes to WordPress Multisite. Having said that, if you can set up a WordPress Multisite network, you can easily update these simple configurations so that Prevent Direct Access works perfectly with WordPress Multisite.

Here is a step-by-step process that you can protect your Media Files on your WordPress Multisite:

  1. Purchase and get our Prevent Direct Access Gold version and your unlimited-site license ready.
    Please note that you will need an unlimited-site license for your WordPress multisite.
  2. Once you install & “network activate” our plugin, you should be able to find these htaccess rules under our settings on every single site of your network.

    Every single website of your network has it own “Site Rules” while “Basic Rules” are the same for all the sites. You should update the “Site Rules” on your main htaccess file whenever you create a new site on your network. This is very important as our plugin won’t be working on sites that’s not had its htaccess “Site Rules” updated on the main htaccess file.

  3. Copy these rules, append on top of your main .htaccess file. In other words, please keep your existing WordPress htaccess rules and append these rules on top of them following this order:

RewriteRule private/site/1/([a-zA-Z0-9-_]+)$ /index.php?pre_dir_acc_61co625547=$1 [R=301,L]
RewriteRule private/site/2/([a-zA-Z0-9-_]+)$ local1/index.php?pre_dir_acc_61co625547=$1 [R=301,L]
RewriteRule private/site/3/([a-zA-Z0-9-_]+)$ local2/index.php?pre_dir_acc_61co625547=$1 [R=301,L]
[Put LINE 1 of your new site "Site Rules" here]

[These 4 lines are "basic rules" which is always here and never change]
RewriteCond %{REQUEST_FILENAME} -s
RewriteCond %{HTTP_USER_AGENT} !facebookexternalhit/[0-9]
RewriteCond %{HTTP_USER_AGENT} !Twitterbot/[0-9]
RewriteCond %{HTTP_USER_AGENT} !Googlebot/[0-9]

RewriteRule wp-content/uploads(\/[A-Za-z0-9_@.\/&+-]+)+\.([A-Za-z0-9_@.\/&+-]+)$ index.php?pre_dir_acc_61co625547=$1&is_direct_access=true&file_type=$2 [QSA,L]
RewriteRule wp-content/uploads/sites/2(\/[A-Za-z0-9_@.\/&+-]+)+\.([A-Za-z0-9_@.\/&+-]+)$ index.php?pre_dir_acc_61co625547=$1&is_direct_access=true&file_type=$2 [QSA,L]
RewriteRule wp-content/uploads/sites/3(\/[A-Za-z0-9_@.\/&+-]+)+\.([A-Za-z0-9_@.\/&+-]+)$ index.php?pre_dir_acc_61co625547=$1&is_direct_access=true&file_type=$2 [QSA,L]
[Put LINE 2 of your new site "Site Rules" here]

Finally, please make sure that the original htaccess rules of your WordPress Multisite are still there at the bottom of the file

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
# add a trailing slash to /wp-admin
RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^(.*\.php)$ $1 [L]
RewriteRule . index.php [L]

That’s about it. Now our “Prevent Direct Access” plugin should be working perfectly on your WordPress Multisite network as usual.