MemberPress uses some advanced Apache rewrite rules to protect files not controlled directly by WordPress.
Once your rewrite rules are setup properly a Custom URI rule in MemberPress should be able to protect any file types except:
php, phtml, jpg, jpeg, gif, css, png, js, ico, svg, woff, ttf and xml
These file types are excluded in order to avoid possible performance issues.
Here's how you can construct your rewrite rules on various web servers:
Apache & Litespeed
Most web hosts offering WordPress are running Apache as their web server. If you're running Apache and your apache user has write access to your document root (which is the most common configuration) then you shouldn't have to alter your rules at all … MemberPress should be able to automatically place your rules properly.
However, if you do need to edit your Apache rewrite rules here is what you'll need to add after WordPress' rules:
# BEGIN MemberPress Rules <IfModule mod_rewrite.c> RewriteCond %{HTTP_COOKIE} mplk=([a-zA-Z0-9]+) RewriteCond /var/www/somesite.com/wp-content/uploads/mepr/rules/%1 -f RewriteRule ^(.*)$ - [L] RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes) RewriteCond %{REQUEST_URI} \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8|ZIP|GZ|TAR|RAR|DOC|DOCX|XLS|XLSX|XLSM|PDF|MP4|M4V|MP3|TS|KEY|M3U8)$ RewriteRule . /wp-content/plugins/memberpress/lock.php [L] </IfModule> # END MemberPress Rules
Note: The code should be pasted directly under the # END WordPess
line in the .htaccess file.
Note: You will need to make sure you replace /var/www/somesite.com/ with your actual docroot path.
Nginx
MemberPress does not officially support Nginx as a web-server. However, you may have luck getting your webhost support team to implement one of the following for you.
Nginx as an Apache Proxy
If your webhost uses Nginx as a proxy (in front of) for Apache:
location ~* \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8)$ { proxy_pass http://localhost:PORT_HERE; }
Note: The PORT_HERE part will need to be changed, your host should know the correct port # for apache.
Nginx as a Standalone Webserver
If you're using only Nginx as the web-server, you might have success with the following location block in your Nginx configuration file:
location ~* \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8)$ { # Setup lock variables set $mplk_uri "/wp-content/plugins/memberpress/lock.php"; set $mplk_file "/var/www/html/wp-content/uploads/mepr/rules/${cookie_mplk}"; # don't lock the lock uri if ($uri ~* "^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)") { break; } # redirect if the lock file's a dir or doesn't exist if (-d $mplk_file) { rewrite ^ $mplk_uri last; } if (!-e $mplk_file) { rewrite ^ $mplk_uri last; } }
If the above does not work (especially if you are on Flywheel Cloud Hosting) try the version below instead:
location ~ ^/wp-content/plugins/memberpress/lock.php { include fastcgi.conf; }<br> location ~* \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8)$ {<br> # Setup lock variables<br> set $mplk_uri "/wp-content/plugins/memberpress/lock.php";<br> set $mplk_file "$document_root/wp-content/uploads/mepr/rules/${cookie_mplk}";<br> # don't lock the lock uri<br> if ($uri ~* "^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)") { break; }<br> # redirect if the lock file's a dir or doesn't exist<br> if (-d $mplk_file) { rewrite ^ $mplk_uri last; }<br> if (!-e $mplk_file) { rewrite ^ $mplk_uri last; }<br> }
Note: You would need to alter the /var/www/html/ portion of the path in the line below, to match the path to your wordpress installation folder
IIS and other web servers
Currently we don't have any supported rules for these web-servers.