Rewrite Rules

MemberPress uses some advanced apache rewrite rules to protect files not controlled directly by WordPress.

Once your rewrite rules are setup properly a Custom URI rule in MemberPress should be able to protect any file types except:

php, phtml, jpg, jpeg, gif, css, png, js, ico, svg, woff, ttf and xml

These file types are excluded in order to avoid possible performance issues.

Here’s how you can construct your rewrite rules on various web servers:

Apache & Litespeed

Most web hosts offering WordPress are running Apache as their web server. If you’re running Apache and your apache user has write access to your document root (which is the most common configuration) then you shouldn’t have to alter your rules at all … MemberPress should be able to automatically place your rules properly.

However, if you do need to edit your apache rewrite rules here is what you’ll need to add after WordPress’ rules (make sure you replace “{{path to your wordpress docroot}}” with your actual docroot path):

<IfModule mod_rewrite.c>

RewriteCond %{HTTP_COOKIE} mplk=([a-zA-Z0-9]+)
RewriteCond {{path to your wordpress docroot}}/wp-content/uploads/mepr/rules/%1 -f
RewriteRule ^(.*)$ - [L]

RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-includes)
RewriteCond %{REQUEST_URI} !\.(php|phtml|jpg|jpeg|gif|css|png|js|ico|svg|woff|ttf|xml|PHP|PHTML|JPG|JPEG|GIF|CSS|PNG|JS|ICO|SVG|WOFF|TTF|XML)
RewriteRule . /wp-content/plugins/memberpress/lock.php [L]



The only known way to get Nginx rules working is to put them directly into the nginx config file for your site.

Here are the rules you could add in your “location /” block:

location / {
    root   {{path to your wordpress docroot}};
    index  index.php;

    # Make sure the home page goes home
    if ($uri ~ ^\/$) {
      rewrite ^ /index.php?$args last;

    # Main WordPress rewrite rule
    if (!-e $request_filename) {
      rewrite ^ /index.php?$args last;

    # Setup lock variables
    set $mplk_uri "/wp-content/plugins/memberpress/lock.php";
    set $mplk_file "{{path to your wordpress docroot}}/wp-content/uploads/mepr/rules/${cookie_mplk}";
    # don't lock the lock uri
    if ($uri ~* "^/(wp-admin|wp-includes)") { break; }
    if ($uri ~* "\.(php|phtml|jpg|jpeg|gif|css|png|js|ico|svg|woff|ttf|xml)") { break; }
    # we don't deal with directories in the url
    if (-d $request_filename) { break; }
    # redirect if the lock file's a dir or doesn't exist
    if (-d $mplk_file) { rewrite ^ $mplk_uri last; }
    if (!-e $mplk_file) { rewrite ^ $mplk_uri last; }

IIS and other web servers

Currently we don’t have any supported rules for these servers. A developer familiar with IIS or the current webserver should be able to adapt the apache rewrite rules to work with their setup.