How to restrict WordPress media files access to specific user roles

If you’re running an online business selling courses or information products, you’ll want to build some private areas where only your customers or subscribers can access premium content and digital product files. Password and membership protection prove useful in these cases.

However, there is a serious loophole in these protection methods that often result in your digital product files being leaked out.

In this article, we’re going to show you two easy ways to protect both your WordPress content and digital products without any technical knowledge.

Why you should protect WordPress media files

Did you know that even though your website content is protected with a password or membership plugin, the media attachments embedded in those pages are still accessible to anyone who has direct links to those files?

That's because password and membership plugins don’t protect your file uploads - they're designed to protect content instead, such as pages, posts or products. As a consequence, if someone shares these file URLs on other forums and social platforms, others will be able to access them without having to purchase membership or log into your website.

Even worse, Google and other search engines could potentially index these private documents, videos, and images. So people can just find and access them directly through some simple search with the right keywords.

If you're selling courses or digital products then this puts you at risk of losing all your efforts, digital product files, and a lot of money...

2 ways to protect WordPress media attachments

We've discovered two plugins that make it easy to protect your WordPress media files. You can use either of them with plugins such as Password Protected Categories and WooCommerce Protected Categories which let you restrict access to your WordPress pages, posts and custom post types to specific users or roles. They add an extra layer of security by restricting access to the media files which are linked to from your protected pages/posts/products/etc.

The two plugins are:

  • Download Monitor (DLM) - This plugin adds an additional layer of protection for your digital files. Either upload new files to WordPress and protect them one-by-one, or choose which existing files to protect.
  • Prevent Direct Access (PDA) Gold - Similarly, this plugin provides many different ways to protect your WordPress media files. You can protect new file uploads automatically or on the fly under the WordPress media library. Alternatively, you can protect some specific files when editing a page or post. Instead of protecting each file individually, you can select and protect multiple files simultaneously using WordPress bulk actions under Media list view.

Plugin 1: Download Monitor

Download Monitor (DLM) makes it easy to protect your WordPress media library files. To illustrate how it works, let's imagine that you've used the following plugins to create a private WordPress document library:

WordPress document library plugin
A searchable directory of downloadable files using the Document Library Pro plugin

That's a great solution, but doesn't actually protect the underlying WordPress media files - i.e. the documents that are linked to from the library. It's unlikely that unauthorised people will find them because they're only linked to from the private document library pages. However, if one user publicly shares the link to a document then they could potentially share it more widely.

If you're concerned about this then the solution is to add the Download Monitor plugin to the mix.

Securing digital files

With Download Monitor installed, let's look at how to secure our digital files. While we're using Document Library Pro and Password Protected Categories as an example, you can also use it alongside other membership plugins which restrict access to WordPress content.

For example, we've added a document using Document Manager Pro. From the 'Edit Document' screen in the WordPress admin, we've chosen to add a file upload as below:

WordPress Download Monitor plugin

Adding a file for download, and you'll see the media library modal with a new addition:

Protect WordPress media library file

Clicking on the Protect button protects the file. Then we can publish our new document. Our digital file is now protected, thanks to DLM.

More features of DLM

Download Monitor (DLM) also offers hotlink protection. For example, if you have a member who wants to make a name for themselves by sharing a link to your digital files, then hotlink protection will check the referrer. The plugin will redirect the user to your homepage unless the download request has come from your site.

Hotlink protection is available in the free version of Download Monitor and is an invaluable deterrent for those looking to benefit by stealing and sharing your work.

An additional bonus of DLM is the reporting feature. You can enable/disable reports in the back end of your website; see below for an example report:

WordPress report download stats

The reporting feature gives you an overview of downloads, filterable by date. Another helpful feature is user reporting:

User reporting

DLM offers an extension that gives even more insight into reports called Enhanced Metrics. This extension provides even more information, such as failed/completed downloads, active users and downloads, and more.

As you can see, it builds on plugins like Document Library Pro and Password Protected Categories to give you extra protection. As an added bonus, you get built-in reporting on who is accessing your downloadable files.

Plugin 2: Prevent Direct Access

Prevent Direct Access (PDA) Gold is an alternative plugin for restricting access to your WordPress Media Library files. Like Download Monitor, it works with WordPress protection plugins like Password Protected Categories and WooCommerce Protected Categories. Simply use it to restrict access to your media files using the same type of protection that you're using for your pages, posts, and other content.

File Access Permission

Protect WordPress files

File access permission
File Access Permission (FAP) allows you to select certain user roles who can access your private protected files directly. There is global FAP which applies the permissions to all files by default. What’s more, you can set individual FAP with Access Restriction extension. In other words, you can make different files accessible to different user roles.

While most of the options are self-explanatory, you may wonder when to use the "Anyone" and "No one" options:

  • Anyone option allows everyone to access your private files while stopping Google or other search engines from indexing them. This comes in useful when you want those files to be directly accessed through your website links and not through search results.
  • No one option literally stops everyone from accessing your protected files directly through their file URLs. In return, PDA Gold plugin gives you the power to create as many private download links as needed. This helps you share your protected files with some specific groups of users. And at the same time, you can track and restrict its usage by time or click.

How to protect both WordPress content and file attachments

The most bulletproof way to secure your WordPress content is to protect both your content and media attachments altogether.

Password Protected Categories - and it's e-commerce version WooCommerce Protected Categories - is one of the best WordPress password protection plugins. Both plugins allow you to protect an entire category including its sub-categories and all posts/products under that category, with a single password. You can also restrict entire categories so that only specific logged-in users or roles can access them.

Now, let’s learn how to integrate Prevent Direct Access Gold with Password Protected Categories and WooCommerce Protected Categories. It's the perfect combination to protect both WordPress categories and media file attachments on these posts/products.

Using Prevent Direct Access with Protected Categories

Follow these simple steps to protect any type of WordPress category. This could be a post category, page category, WooCommerce product category, or a category/custom taxonomy for any other custom post type.

You can protect as many categories as you’d like to while leaving the rest accessible to the public:

  1. Visibility options in WooCommerce Protected Categories plugin.
    Go to the 'Add/Edit Category' page.
  2. Add a new category or edit an existing one.
  3. Under the ‘Visibility’ section above the ‘Add New Category’ button, select ‘Protected’.
  4. Set a password and/or select user roles or specific users who can access the post/product.
  5. In the WordPress Media Library List view, protect your attachment file and then click on ‘Configure File Protection’.
  6. Select the ‘File Access Permission’ tab and choose the same user roles as per step 4.

Where to get the plugins

Password Protected Categories and WooCommerce Protected Categories are the top WordPress security plugins. They work seamlessly with both Download Monitor and Prevent Direct Access Gold. It's the perfect way to protect both your content and WordPress private files to specific user roles.

Now, you can not only protect your private attachment files against Google and unwanted users. Simply by logging into their user account, your visitors can unlock both your attachments and protected media library files, as well as content.

Do you have any questions on how to password protect your website content and attachment files in WordPress? Please let us know in the comments section below.


  1. Hello,
    I want to offer certain products (video downloads) to specific users as it will have their branding, can i have a login page as the homepage? Also do you allow videos on product pages? is there a theme you could recommend for this.

    • Hi, John. Thanks for your interest in WooCommerce Protected Categories.

      You can create a login form customized for each user's or user role's branding via the Theme My Login plugin, as discussed in our article: User and role protected categories.

      Yes, in WooCommerce you can embed videos in the product description field, which will display in the single product pages.

      Our plugins have been coded to work with any theme, and I recommend those that are fully WooCommerce-compatible, such as the default Storefront theme by Automattic, and the Boutique and Deli themes by WooCommerce. We also mention other themes at (albeit the article is about another plugin of ours, these should also work well with WooCommerce Protected Categories).

    • Hi Cassandra, we don't have a video for this tutorial yet and hope to add one in future. Thanks for the suggestion!

      • I look forward to it eagerly. Thank you once again.

Please share your thoughts...

Your email address will not be published. Required fields are marked *