Here's How To Protect Your Content Folders

Tips and Tricks HQ Forum » WP eMember » WP eMember F.A.Q/Instructions

Here's How To Protect Your Content Folders

(2 posts) (2 voices)

Started 6 months ago by jessesmithproductions
Latest reply from Kirk
Possible Solutions (Related Topics):

Tags:

amazon s3

jessesmithproductions
Member

Greetings,

Several eMember users whose sites include links to content such as mp3s, pdfs, videos, etc. have asked if there is a way to password-protect the folders in which these files reside. The concern is that while eMember restricts access to the subscriber-only pages containing the links, the folder containing the content is open, and a subscriber to your site can simply share the download link itself with someone else.

Good news: There is a way to protect the folder containing your content, while also using eMember to manage subscriptions to your site.

The solution can be found here:

http://www.tanzilo.com/2008/10/18/password-protect-sub-directory-in-wordpress-by-htaccess/

And I will describe how I implemented it on my site. I have not delved into all the possible tweaks. I have simply put together a solution that makes sense and works - for me. Others may want to tinker further.

Step 1: I created the directory (folder) "download" for my protected content, using cPanel:

http://www.my_website.com/public_html/wordpress/download

and I uploaded an mp3 into this directory.

(I have deviated slightly from the directions found at tanzilo.com, by putting my content folder not in my site's root directory, but inside my /wordpress directory. This was to avoid some potential conflicts with pretty links.)

Step 2: As directed by tanzilo.com, I edited the file http://www.my_website.com/public_html/wordpress/(dot)htaccess from this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /wordpress/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wordpress/index.php [L]
</IfModule>
# END WordPress

to this:

# To bypass download directory
ErrorDocument 401 /%{REQUEST_URI}/myerror.html
ErrorDocument 403 /%{REQUEST_URI}/myerror.html
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /wordpress/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wordpress/index.php [L]
</IfModule>
# END WordPress

Step 3: Using cPanel, I password-protected the directory http://www.my_website.com/public_html/wordpress/download. At this point, every time you add a subscriber with a User Name and Password to eMember who needs access to this directory - in my case, to access the mp3 - you must also add this User Name and Password in cPanel to the directory http://www.my_website.com/public_html/wordpress/download.

That's pretty much it. Now no outsider can enter this into their browser:

http://my_website.com/wordpress/download/my_audio_file.mp

and get the mp3 - because now cPanel requires a User Name and Password for the download folder.

Now, just a little extra detail:

In my case, my subscriber, who is paying for access to the mp3 in my http://www.my_website.com/public_html/wordpress/download directory, sees two things on her content page: the Audio Player button, and a download link below it. If I make them both link to the mp3 in http://www.my_website.com/public_html/wordpress/download thusly:

Audio player link: [audio:http://my_website.com/wordpress/download/my_audio_file.mp3]

and

Download link: href="http://my_website.com/wordpress/download/my_audio_file.mp3"

then clicking on either link will trigger cPanel to ask for a User Name and Password for the http://www.my_website.com/public_html/wordpress/download directory. Since the Audio Player button does not reveal the download link to the mp3, I would prefer that clicking on it would play the mp3 without requiring a cPanel User Name and Password, to save my subscribers the bother, whilst clicking on the download link would require a User Name and Password.

To accomplish this, I simply create a second unprotected folder (download_2) to hold a duplicate copy of the mp3, and link the Audio Player to this mp3, and link the download link to the mp3 inside the cPanel protected folder, thusly:

Audio player link: [audio:http://my_website.com/wordpress/download_2/my_audio_file.mp3]

and

Download link: href="http://my_website.com/wordpress/download/my_audio_file.mp3"

This works for me. If I go to a second computer, and enter in the browser http://my_website.com/wordpress/download/my_audio_file.mp3, it asks for the cPanel User Name and Password.

Cheers, and Good Luck!

Posted 6 months ago #
Kirk
Member

Your solution works, but will cause too much of a maintenance issue trying to keep everything in sync. Also it might be too much effort for non-technical people who just want their site to work and are not confident fiddling with .htaccess files etc.

For my own sites where I have to stream video and have protected downloads for website members, I store all the files on Amazon S3 and I use the WP Lightbox Ultimate plugin from Tips and Tricks HQ. You can also use S3FlowShield which is pretty good, but it is 3x more expensive.

Then all you need to do is upload all your files to Amazon S3 and set the folder permissions accordingly. Name your buckets something unique like 'media.yourdomain.com'. This way, if you ever sell your site, you can just create the 'media' subdomain on your site and upload everything into that subdomain. A few tweaks on relevant pages and everything will be working the same (not secure, but the new owner can then copy the files to their own S3 account).

Then just protect your posts / pages so your members have to login to view the videos etc.

If you are on shared hosting, I strongly recommend to use Amazon S3 to reduce the load on your web server, otherwise a few people downloading video files will slow down your site to other visitors, and hence you could be losing sales due to your unresponsive web server.

I use VPS and dedicated servers, and even though I have more CPU power than shared hosting, I still use Amazon S3 to keep my sites responsive.

The cost to use Amazon S3 is very low. Easily less than a few dollars a month, even for moderate usage.

Have a look at the screencast I did on "How to Embed Protected Videos from Amazon S3".
http://www.tipsandtricks-hq.com/wordpress-lightbox-ultimate-plugin-display-media-in-a-fancy-lightbox-overlay-3163

The plugin has been updated since then and it is now easy to add secure links to files as well, just using the plugin.

PS: Here's another tip. Make sure you have a valid email address which is webmaster@yourdomain.com. The reason being is that if you make errors in your .htaccess file and cause a server error, the default error given to the user will be something like "contact the owner at webmaster@yourdomain.com". This way, if something goes wrong, a nice person might send you an email that your site is broken. If you don't have that 'webmaster' email address, then you won't be contactable.

Posted 6 months ago #

RSS feed for this topic

Reply

You must log in to post.