Restricing access to wp-content to authenticted users only
Use this guide if you plan to activate the WordPress + Office 365 plugin's Intranet authentication mode and you wish to protect content uploaded to wp-content.
This guide will help you to configure a solution that will require users to be signed into your WordPress website when they request files that are saved in the wp-content/uploads directory. Without such a solution, these files are otherwise publicly available i.e. they can be viewed by an anonymous user and possibly surface in public search engines.
Disclaimer Even though this solution has been tested and reviewed, I would like to make clear that I'm not a security expert. In case of doubt, please have your setup reviewed by an independent security consultant.
For the solution proposed here to restrict access to content in the wp-content/uploads directory, you must do two things:
- Create a so-called proxy php script in the WordPress root of your website.
- Update your .htaccess file to instruct the (Apache) webserver to redirect any request for a file saved in (a sub directory below) wp-content/uploads to the aforementioned proxy php proxy script instead.
An example of both files can be found at the end of this article and this example is the basis for the rest of this article. The example assumes that WordPress is installed in a sub directory named "wordpress" e.g. "c:\wamp\www\wordpress" for a website published at "https://localhost/wordpress/". If your setup is different e.g. WordPress is installed in the root, you may need to update the exemplary .htaccess file on line 4 and line 14. Please also note that only the line 7 - 10 have been added to the otherwise out-of-the-box .htaccess file.