Out of the box, Paid Memberships Pro will give you many options to lock down your WordPress posts and pages. You made need to restrict access to protected files as well. PMPro comes bundled with a script to lock down media and file attachments uploaded to protected posts; you just need to add constant definition and a couple lines to your .htaccess file to direct traffic to those files to the bundled script.

You can also lock down non-WordPress files and entire directories of files using Paid Memberships Pro. The basic method is the same: (1) add a mod_rewrite rule to your .htaccess file to direct traffic to the directory and file to a special script, and (2) run a script to check for membership before serving the file.

Below is sample code for your the rewrite rule and the script to serve the file along with a description of how it works.

Banner for Advanced Code Recipe Tutorial for Paid Memberships Pro

Table of contents

Step 1: Set Up a Rewrite Rule

To get this to work, we need to tell Apache to reroute traffic to /protected-directory/file.etc to the script we are going to setup. You should add code like the following to the top of your .htaccess file (before the WordPress rules).

# BEGIN protected folder lock down
RewriteBase /
RewriteRule ^protected-directory/(.*)$ /index.php?pmpro_getfile=$1 [L]

RewriteBase /
RewriteRule ^protected-directory/(.*)$ /index.php?pmpro_getfile=$1 [L]

RewriteBase /
RewriteRule ^protected-directory/(.*)$ /index.php?pmpro_getfile=$1 [L]

# END protected folder lock down

This rewrite rule detects anything in the /protected-directory/ folder and routes that traffic to yoursite.com/index.php?pmpro_getfile={url to the file}. This assumes your homepage is running and loading WordPress. If not, you’ll have to direct traffic to a page that does load WordPress.

For NGINX servers, the rule to add will look like this:

rewrite ^protected-directory/(.*)$ /index.php?pmpro_getfile=$1 last;

Next up, we’ll add code to WordPress to detect URLs like this and load the files.

Step 2: Turn On PMPro’s Get File Script

Here is the code that should be added to your customizations plugin.

The sample code here simply checks for any membership level. If you need to get more specific, you can update the line with the pmpro_hasMembershipLevel() call to check for specific levels or check for certain values in the $pathParts array and check certain levels based on that.

We do a little bit of PHP magic to figure out the PATH to a file based on the URI passed, which may need to be tweaked a bit depending on your setup as well. Once that path is detected, we check for membership. If the user is a member, we use the MimeType class bundle with PMPro to figure out the MimeType of the file and then serve it up through PHP.

A Note on Memory Use

In order to serve a file this way, PHP will need a bit more memory than the filesize of the largest file served this way. If you get partial file downloads or receive some errors once this code is enabled, you can try to increase your PHP memory by adding the following line to your wp-config.php file.

define('WP_MEMORY_LIMIT', '64M');

Set the memory value as high as you need. Depending on your hosting setup, you may or may not have enough memory. It’s also important to not set this too high necessarily because it can tie up memory in cases where you don’t need to.

Other Notes

Note that if you lock down files using this code that other scripts, cron jobs, and Flash scripts that load files may not be able to load your files since they aren’t WordPress users with a membership level. If you need to allow certain scripts to access the files, you’ll have to get a bit clever at detecting that.

Additionally, if your uploads folder is served over a Content Delivery Network (CDN) — e.g. with hosts like WP-Engine — then the requests won’t be routed through your .htaccess rules. You’ll have to disable the CDN or exclude certain files and folders. This could reduce the performance of your whole site (since images and scripts may not be loaded over the CDN as well as files you do want run through getfile).

Adding the Recipe to Your Website

You can add this recipe to your site by creating a custom plugin or using the Code Snippets plugin available for free in the WordPress repository. Read this companion article for step-by-step directions on either method.

Jason Coleman

Author: Jason Coleman

Jason Coleman is the co-founder and CEO of Paid Memberships Pro, the most trusted membership platform that grows with you. With a deep passion for open source software, Jason is the author of Building Web Apps With WordPress, published by O'Reilly Media.

Jason's entrepreneurial spirit is driven by uncertainty, risk, and the thrill of new opportunities. With over two decades of experience in development, management, and marketing, he is committed to Paid Memberships Pro: the only open source platform focused on helping creators get paid so they can find freedom in their life and fulfill their goals.

View more articles by Jason Coleman »

Free Course: Membership Site Development—The Basics

Develop a deeper understanding of membership site development in this beginner-level course. Learn how to make your site work better, save yourself time and money, and improve your site's performance.

Take Free Course Now
Featured Image for Membership Site Development Course: The Basics
Was this article helpful?
YesNo