How to Customize WordPress to Restrict Access to Media Files

For this tutorial, we'll show you how to restrict acces to your media files in a couple of ways.

WordPress is an open-source platform, which is fantastic in many ways. One of its plus points is how you can customize any aspect of it to suit your own needs. For example, in its default state, WordPress gives permission to access the Media Library (and by extension, its uploads folder) to everyone. As such, if you want WordPress to restrict access to media files, you’ll need to customize the platform.

There are a couple of ways you can restrict media access within WordPress. First, there’s the manual approach. Here, you’ll access a WordPress file from your server and make some coding changes. 

Second, you can use a plugin. WordPress has a huge plugin ecosystem, where you can find extensions to boost its core functionality. As such, a plugin is a great way to also restrict access where you need it.

For this tutorial, we’ll show you how to restrict access to your media files in a couple of ways. But before that, let’s discuss why you’d want to do this in the first place.

Why You’d Want to Restrict Access to Media Files Within WordPress

Most web experts agree that unrestricted access to anything online is a bad idea. In some cases, you can’t get away from this — for example, you can access the source code for every webpage in existence through your browser’s tools. However, there are some elements of a site that you won’t want to let loose; your media uploads are a good example.

This is especially true if you run a membership or subscription site, use “content locker” plugins, or find another way to restrict your content on the front end. This is because these types of plugins work with content rather than your media. As a consequence, anyone can grab the URL for one of your media files, and share it with others. This is something you’ll want to put a stop to.

There are other reasons why you’d want to restrict access to your media, too:

  • You might find the search engines index the media you want to restrict. As a result, even more users could find those files through a quick search.
  • There are also administrative reasons to restrict media access. For example, you might run a site with multiple users, and giving everyone Media Library access would be inappropriate.
  • You can lock down your site to make it more secure by giving users the bare minimum of permissions they need. In most cases, this won’t include access to media files.

Overall, you’ll want to stop some of the access to your media (and other) files, while letting others in. There are a few ways to do this, and adding a snippet of code to WordPress is one of them.

The Manual Approach to Restrict Access to Media Files Within WordPress

Practically all tasks in WordPress are possible through coding. In this case, you can restrict access to WordPress media files if you add a short snippet to the functions.php file. This is a file that will “hook” into WordPress’ core code and add the functionality you’d like.

Before you carry out this method, though, you’ll need a few skills and tools on hand:

  • First, you’ll need to know how to access your site’s server through Secure File Transfer Protocol (SFTP).
  • You should have administrator access to your server.
  • You’ll also need a suitable SFTP client, such as FileZilla or Cyberduck.
  • If you don’t know how to find the files you need based on the WordPress architecture, you’ll need to learn this.
  • Your coding skills will need to be sharp, too, as you’ll have to add a few lines to the functions.php file.

This list is long, and it’s not something every user will want (or be able) to do. We can’t show you the full steps here, as it’s beyond the scope of the piece. However, we can summarize the steps:

  1. First, open your SFTP client, and log in using the relevant credentials.
  2. Next, browse to your site’s directory, and look for the functions.php file.
  3. Open it using either a text editor such as Notepad or TextEdit, or a dedicated code editor.
  4. Add a snippet of code and save your changes.

As for the snippet itself, here it is:

// This snippet restricts access to WordPress' media to certain users .
add_filter( 'ajax_query_attachments_args', 'user_show_attachments' );
function user_show_attachments( $query ) {
    $user_id = get_current_user_id();
    if ( $user_id && !current_user_can('activate_plugins') && !current_user_can('edit_others_posts
') ) {
        $query['author'] = $user_id;
    return $query;

In short, this function looks to see if a user can activate plugins and edit posts that are not theirs. If they can’t, they also can’t view media and work with attachments.

On the surface, this is an ideal solution. However, as we’ll explain next, it’s not the best one.

Why You’d Want to Find a Better Solution for Restricting Media Library Access

While using code solutions to fix problems is fine in principle, it’s not always the best approach. This is for a few different reasons:

  • First, you are doing something akin to “hard-coding” the functionality into WordPress. This means the feature will always be there regardless of the themes and plugins you install on your site.
  • This isn’t a problem until you understand that there are now two locations where you have new functionality: your plugins folder, and your functions.php file. If you forget about the latter, it can cause problems in the future.
  • Your coding might clash with the code of another plugin, which can cause bugs and errors.
  • It’s also not flexible, in that you will have to code in more flexibility, new features, and more.

In contrast, plugins are the preferred way to integrate with WordPress. It’s the recommended approach for almost all users to work with extra functionality. Next, we’re going to show you a few options.

How Plugins Can Help You Restrict Media Library Access Within WordPress (4 Solutions)

Throughout this section, we’re going to roundup four different solutions to help you restrict access to your media files. However, if this is a subject you already have some knowledge in, you’ll spot that we don’t include Restrict Media Library Access. This is a popular plugin option for the task, but it’s not part of our list.

This is because it no longer offers compatibility with current versions of WordPress. As such, we can’t guarantee it will work on your system. However, the rest of this list is all current, up to date, and full-featured.

1. Download Monitor

First off, we have the Download Monitor plugin. It can help you restrict media file access once you upload to the plugin, but can do much more. In fact, this plugin could be your ticket to better download management within WordPress.

The Download Monitor plugin.
Download Monitor

It offers a full suite of features, functionality, and tools to make adding and accessing downloads a user-friendly experience:

  • You’re able to offer different versions of a file for download — a history, collated by version.
  • You can customize almost any aspect of your download interface. This is great news if you want to match your download buttons to your site’s branding.
  • There is also functionality for you to sell downloads through the plugin and WordPress. If you dream of running your own downloads store, Download Monitor can make it happen.
  • You can restrict access to downloads on a user-wide basis using the Advanced Access Manager extension.

ℹ️ Learn all about the capabilities of Advanced Access Manager, by following this link.

While you can find the plugin for free on the WordPress Plugin Directory, you won’t get the full Download Manager experience with it. For more value, you’ll want to consider a premium subscription. Higher tiers offer more functionality, so you’ll want to compare them all to find out which one is right for you.

Download Monitor

Grow your audience, track download performance, and convert your traffic into email subscribers with an easy-to-use digital downloads solution for WordPress.

2. Content Control – User Access Restriction Plugin

The Content Control plugin lets you restrict access to all sorts of WordPress content and media. However, it doesn’t do this only through the WordPress admin screens, but also through shortcodes.

The Conten Control – User Access Restriction plugin.
Content Control

For a plugin that’s completely free, it offers a number of powerful and flexible features under the hood:

  • You get to restrict access to users based on the user role or logged-in status. What’s more, you get to restrict access to all manner of posts, pages, and media. In addition to global content, you can also restrict access based on taxonomies, too.
  • You’re able to display custom messages to users to notify them they can’t access certain files, with full customization available.
  • Depending on the status of the user, you can display or hide certain pieces of content as appropriate.

The shortcode option is a neat way to restrict access, and there are lots of powerful parameters at your disposal. For example, you can specify which user roles can see the content, display a custom message, and more. For all restricted pages, you can apply custom CSS classes, too. This gives you plenty of scope when it comes to design and customization.

3. Prevent Direct Access – Protect WordPress Files

The Prevent Direct Access plugin achieves what it sets out to do. It helps you protect your WordPress files, not only from users but also from search engines and other indexing tools.

The Prevent Direct Access – Protect WordPress Files plugin.
Prevent Direct Access

You use this plugin directly from the WordPress Media Library, and it will protect every file you upload directly or through the interface within posts and pages. It also offers plenty more in the box:

  • Only administrators and the file uploader get access to a file. While this might seem restrictive, it gives you less margin for error when you restrict files.
  • Each file you protect has a unique private download link that you can share with others.
  • There are ways to block IP addresses and restrict search engine indexing.
  • You’re also able to stop hotlinking and completely protect the WordPress uploads folder.

While the core plugin is free, you can also upgrade to the premium version: PDA Gold. This offers plenty more, such as further encryption for your files, the ability to protect complete folders with one click, and integrations with plugins such as LearnDash and the WordPress Multisite functionality.

4. Advanced Access Manager

The Advanced Access Manager plugin is not related to our extension of the same name, but it packs a near-comparable punch when it comes to helping you protect your files.

The Advanced Access Manager plugin.
Advanced Access Manager

The plugin gives you fine-grained control over who can access your files, folders, and media. Here’s what you’ll get in the box:

  • You can manage access for all user roles on your site, even on an individual basis. What’s more, you can even control access for visitors and users who don’t log in.
  • You’re able to define the access for your posts, pages, custom taxonomies, custom post types, and more.
  • The plugin offers lots of scope for extra development, as it offers a number of “hooks,” “filters,” and customization options. It also connects to the WordPress REST API, so you have a familiar way to integrate additional functionality into the plugin.

While there are premium tiers, you might not need them. The Advanced Access Manager plugin provides all its core functionality free of charge, and it’s a solution that heaves with highlights.

How to Customize WordPress to Restrict Access to Media Files Using Download Monitor

So far, we’ve talked about global restricted access to WordPress media. However, Download Monitor offers a better and more flexible way to protect your files and manage them in a more optimal manner. It lets you leverage this functionality once you upload your media files to the plugin itself.

You’ll need to install at least the free version of Download Monitor, but the premium version will offer more scope to protect files.

Using Download Monitor

Once you install and activate the plugin, head to the Downloads > Settings > General screen within WordPress:

Download Monitor's General tab.
Download Monitor Settings

There are a few options here you can toggle to help restrict all files:

  • Prevent client-side downloads. This stops end-users from right-clicking and downloading images from the browser — very handy to stop thieves.
  • Include in search. This option doesn’t let your media become a part of your internal search results, which means most users won’t stumble across individual files.
  • File browser. Some users know how to see the internal directory structure of your site, including your media. This option stops it from happening.

From here, you can check out the Access tab for options that relate to the message a restricted user will see, along with ways to add IP addresses and user agents to your blocklist:

The Download Monitor Access tab, that shows a 'No Access' message, and blocklists.
Access tab

By default, Download Monitor protects your uploads folder on Apache servers without any intervention on your part. You’ll be able to see this on the Miscellaneous tab. However, if you run an Nginx server, Download Monitor will notify you and give you the code you need to implement protection:

The Access tab within Download Monitor's settings, showing the code to help regenerate protection for the upload folder.
Regenerate protection for uploads folder

This is all available within the free version, but there’s more on hand if you choose to upgrade.

Download Monitor’s Premium Tools for Restricting Content

There are two other tabs that you’ll also want to look into, depending on the strategy you have for your website, and whether you run a premium version of Download Monitor:

🔥 As such, Download Monitor gives you almost all the tools you need to not only protect your media files, but manage them in a better way too. It’s a step above any manual method or plugin focused on restricting files, and lets you run a full download management system without friction, on your WordPress website.

Download Monitor

Grow your audience, track download performance, and convert your traffic into email subscribers with an easy-to-use digital downloads solution for WordPress.

In Summary

While WordPress is an open platform in a number of ways, one facet of the platform you might not want to share is access to your media files. This is sometimes not the most secure or stable decision for your site.

However, there are lots of plugins that help you restrict access to media files within WordPress. Download Monitor is the pick of the bunch. It includes plenty of user permission and access controls that help you restrict not just media, but also almost everything on your WordPress website.

You’ll use the plugin to upload media files to WordPress, then enable better security using the Download Monitor feature set. It’s the ideal solution if you need a full-featured download management tool for WordPress

Tom Rankin
Tom Rankin

Tom Rankin is a quality content writer for WordPress, tech, and small businesses.

When he's not putting fingers to keyboard, he can be found taking photographs, writing music, playing computer games, and talking in the third-person.

Start Protecting your WordPress Downloads

Protect and track downloads on WordPress... What are you waiting for?