Protect WordPress Uploads


Protect WordPress Uploads is a simple and easy way to protect WordPress uploads.

Seamlessly integrated, you can easily protect your WordPress uploads by just one single click. Once protected, they cannot be accessed directly through their original, unprotected links (URLs). Unwanted users will be redirected.


  • Unlimited protected WordPess Uploads.
  • Files are not indexed in Google or any other search engine.
  • Filter by private uploaded files in the Media Library.
  • Works with Apache and NGINX.
  • Easy upload, protect and unprotect your WordPress Uploads.
  • ACF-filter available.
  • Available in 7 languages and counting.

Available languages

  • English
  • Spanish (thanks to @yordansoares)
  • Russian
  • Japanese (thanks to @nao)
  • Dutch

From within WordPress

  1. Visit ‘Plugins > Add New’
  2. Search for ‘Protect WordPress Uploads’
  3. Activate ‘Protect WordPress Uploads’ from your Plugins page.
  4. Go to “after activation” below.


  1. Upload the ‘wp-private-media’ folder to the ‘/wp-content/plugins/’ directory
  2. Activate the ‘Protect WordPress Uploads’ plugin through the ‘Plugins’ menu in WordPress
  3. Go to “after activation” below.

After activation

  1. You should see the menu item ‘Protect WP Files’ in the admin menu.
  2. On the wp-admin/upload.php page, you should see an extra admin column called URL.


  1. If you use NGINX as WEBSERVER, add a rewrite to your NGINX config file. Look into the folder _rewrites for an example.


For more information on how to use the filters please go to the plugin explanation page

Plugin / Theme Support


  • Protect WordPress Uploads introduction.
  • Upload a protected upload.
  • Filter by protected uploads.
  • Download restriction screen.
  • Attachment copy protected link.


If there are any questions please don’t hesitate to send them to

How can I control which role can upload protected files?

We added a capability ‘manage_pwpf_files’. You can assign this capability to any role in WordPress by using a roles & capabilities plugin.

If the file is protected is it possible to unprotect?

Yes, there is an option to unprotect files. The file will be moved to the public wp-uploads/ folder.

Can everyone download protected files?

No, only logged in users can download files.

Is there a role restriction who can and who cannot download?

Currently, all users with any role could download protected files.

Is the file encrypted?

No, not yet but we are working on that.


The files in the upload folder are normally accessible for everyone. With this plugin, files in the upload folder can be protected. Only logged in users can see these protected files. I am using it on WP v 5.6 and it works. Please keep maintaining this awesome plugin!
Love this little plugin, thank you! It's simple, yet very effective, very good integration, no unnecessary bells and whistles, easy to use and explain to webmasters. The info page says the plugin is compatibel to: 5.4.2. But on my 5.5.1 it seems to still work just fine. PS. Add a donate button, this plugin deserves it.


“Protect WordPress Uploads” 是一個開源的軟體。以下的人對這個外掛作出了貢獻。


Protect WordPress Uploads 外掛目前已有 6 個本地化語言版本。 感謝所有譯者為這個外掛做出的貢獻。

將 Protect WordPress Uploads 外掛本地化為台灣繁體中文版。


任何人均可瀏覽程式碼、查看 SVN 存放庫,或透過 RSS 訂閱開發記錄


  • Removed settings, introduction page for editors role.
  • Removed renaming function for admin menu.
  • Removed nginx message for non-administrators.

  • Added capability for editor role
  • Small bug fix in admin menu for other roles than administrator

  • Added check and error message for WP sites with plain permalink structure
  • Small text-domain changes
  • Small picture / design changes

  • Tested with WP 5.6.1
  • Small fix, issue with WP Forms.

  • Added documentation link.
  • Updated some links to new website

  • Update, settings page, linkback url added for protection message.
  • Small warning fix in PWPF_url_by_slug() function, thanks to @mreisphotography.

  • Fix for slug for backend grid view thumbs.

  • Fix for slug for backend thumbs.


  • Grid and List view thumbnails added.
  • Settings page added to change the protection message.
  • Changed the wp-admin upload icon to SVG.
  • Fix for downloading large files PWPF_handle_private_download().
  • Fix remove image sizes in the private folder after unprotect the file.


  • Small fix on a translation, wrong text domain


  • Changed site_url() to get_bloginfo(‘url’).
  • Small code changes in pwpf-messages.php.
  • Added media library filter to filter by protected uploads.
  • Added support page.
  • Some changes on the wizard page.
  • Moved wizard template from function to admin-templates folder.


Added unprotect function.


Capability “manage_pwpf_files” moved to init.


Capability “manage_pwpf_files” added.


Small fix for the introduction page.


Updated the upload UX/UI design with upload progressbar.
Added upload-check for supported WordPress mimetypes.
Added introduction page.
Moved js/css to assets folders.


Added Dutch Translation.


Fixed small bug in ACF support filter.


ACF support with upload filter.


Small bug fix for filter – private_media_url_by_array.
It always returned the file url when using the filter without checking if the file is protected or not.


Small bug fix for remove _nginx message in admin.


First realease on May 17th, 2019