Category: Security

WordPress file protected with user login

Some time we deed to give option to user download PDF, Doc file the protected with user login

On Download action code as like below

foreach($download_list as $list) {
$title = $list['title'];
$download = $list['download']['url'];

$path = get_home_url().'/';
$dir = '';
$resource_src = str_replace($path, $dir, $download);
$data = base64_encode($resource_src.'^'.get_current_user_id());

$url = get_site_url()."/download.php?file=$data";
<li><a href="<?php echo $url; ?>" target="_blank"><?php echo $title; ?></a></li>

Create “download.php” file from root and add below code.


if( !get_current_user_id() )
$rew = explode('^',base64_decode($_GET['file']));
if($rew[1] != get_current_user_id())
$file = $rew[0];
$all = $_GET['all'];
if(isset($all)) {
if(json_decode($all)) {
$allFiles = json_decode($all);
} else {
$allFiles = explode(',',$all);


$zipname = 'images-'.date('YmdHis').'.zip';
$zip = new ZipArchive;
$zip->open($zipname, ZipArchive::CREATE);

foreach ($allFiles as $imgfile) {
$path_parts = pathinfo($imgfile);
$ext = strtolower($path_parts["extension"]);
if($ext != 'php') {
$zip->addFile($imgfile, basename($imgfile));
header("Content-type: application/zip");
header("Content-Disposition: attachment; filename=$zipname");
header("Pragma: no-cache");
header("Expires: 0");

if(isset($file)) {
function download_file( $fullPath ){

// Must be fresh start
if( headers_sent() )
die('Headers Sent');

// Required for some browsers
ini_set('zlib.output_compression', 'Off');

// File Exists?
if( file_exists($fullPath) ){

// Parse Info / Get Extension
$fsize = filesize($fullPath);
$path_parts = pathinfo($fullPath);
$ext = strtolower($path_parts["extension"]);

// Determine Content Type
switch ($ext) {
case "pdf": $ctype="application/pdf"; break;
case "exe": $ctype="application/octet-stream"; break;
case "zip": $ctype="application/zip"; break;
case "doc": $ctype="application/msword"; break;
case "xls": $ctype="application/"; break;
case "ppt": $ctype="application/"; break;
case "gif": $ctype="image/gif"; break;
case "png": $ctype="image/png"; break;
case "jpeg":
case "jpg": $ctype="image/jpg"; break;
default: $ctype="application/force-download";

if($ext != 'php') {
header("Pragma: public"); // required
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false); // required for certain browsers
header("Content-Type: $ctype");
header("Content-Disposition: attachment; filename=\"".basename($fullPath)."\";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".$fsize);
readfile( $fullPath );
} else
die('Invalid File');

} else
die('File Not Found');


Create password protected directory using htaccess on server

Add security using password protected directory  on server as like admin site first ask to permission to go admin area. Add authentication on WordPress administration. Password protect our wordPress admin (wp-admin) directory. Bellow example for WordPress wp-admin password protected.

Step : 1

Login to your cpanel and go to “Password Protect Directories”.  After select directory OR add directory as your cpanel options. in my cpanel select directory in bellow screen short.


Step : 2

Add protected directory name, username, password.


Step : 3

Go to file manager and your selected directory create .htaccess file  with this script.

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any