Understanding Rewrite Rules for File Protection

MemberPress uses some advanced Apache rewrite rules to protect files not controlled directly by WordPress.

Once your rewrite rules are setup properly a Custom URI rule in MemberPress should be able to protect any file types except:

php, phtml, jpg, jpeg, gif, css, png, js, ico, svg, woff, ttf and xml

These file types are excluded in order to avoid possible performance issues.

Here's how you can construct your rewrite rules on various web servers:

Apache & Litespeed

Most web hosts offering WordPress are running Apache as their web server. If you're running Apache and your apache user has write access to your document root (which is the most common configuration) then you shouldn't have to alter your rules at all ... MemberPress should be able to automatically place your rules properly.

However, if you do need to edit your apache rewrite rules here is what you'll need to add after WordPress' rules (make sure you replace "{{path to your wordpress docroot}}" with your actual docroot path):

# BEGIN MemberPress Rules
<IfModule mod_rewrite.c>

RewriteCond %{HTTP_COOKIE} mplk=([a-zA-Z0-9]+)
RewriteCond /var/www/somesite.com/wp-content/uploads/mepr/rules/%1 -f
RewriteRule ^(.*)$ - [L]

RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)
RewriteCond %{REQUEST_URI} \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8|ZIP|GZ|TAR|RAR|DOC|DOCX|XLS|XLSX|XLSM|PDF|MP4|M4V|MP3|TS|KEY|M3U8)$
RewriteRule . /wp-content/plugins/memberpress/lock.php [L]

</IfModule>
# END MemberPress Rules

Note: with the above code, make sure that you change the fifth line (RewriteCond /var/www/somesite.com/wp-content/uploads/mepr/rules/%1 -f) to match your web-server's path. Finally, the code should be pasted directly under the # END WordPess line in the .htaccess file. 

Nginx

MemberPress does not currently support Nginx as a webserver. However, If your webhost uses Nginx as a proxy (in front of) for Apache, then you may be able to get it to work with the bypass code outlined here:

location ~* \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8)$ { proxy_pass http://localhost:PORT_HERE; }

Important note: the PORT_HERE part will need to be changed, your host should know the correct port #.

IIS and other web servers

Currently we don't have any supported rules for these servers.