Understanding Rewrite Rules for File Protection

Though these instructions are still valid, we have since released the MemberPress Downloads Add-on, so if you are unable to get file protection working with your web server, you might check it out. Click here to read more about it.

MemberPress uses some advanced Apache rewrite rules to protect files not controlled directly by WordPress. 

Once your rewrite rules are setup properly a Custom URI rule in MemberPress should be able to protect any file types except:

php, phtml, jpg, jpeg, gif, css, png, js, ico, svg, woff, ttf and xml

These file types are excluded in order to avoid possible performance issues.

Here's how you can construct your rewrite rules on various web servers:

Apache & Litespeed

Note: MemberPress disables our custom rewrite rules by default. You may need to got to MemberPress->Settings->General and uncheck the "Disable Rewrite Rules" checkbox then save the changes in order for custom URI rules to work. 

Most web hosts offering WordPress are running Apache as their web server. If you're running Apache and your apache user has write access to your document root (which is the most common configuration) then you shouldn't have to alter your rules at all ... MemberPress should be able to automatically place your rules properly.

However, if you do need to edit your Apache rewrite rules here is what you'll need to add after WordPress' rules:

# BEGIN MemberPress Rules
<IfModule mod_rewrite.c>

RewriteCond %{HTTP_COOKIE} mplk=([a-zA-Z0-9]+)
RewriteCond /var/www/somesite.com/wp-content/uploads/mepr/rules/%1 -f
RewriteRule ^(.*)$ - [L]

RewriteCond %{REQUEST_URI} !^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)
RewriteCond %{REQUEST_URI} \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8|ZIP|GZ|TAR|RAR|DOC|DOCX|XLS|XLSX|XLSM|PDF|MP4|M4V|MP3|TS|KEY|M3U8)$
RewriteRule . /wp-content/plugins/memberpress/lock.php [L]

# END MemberPress Rules

Note: The code should be pasted directly under the # END WordPess line in the .htaccess file.

Note: You will need to make sure you replace /var/www/somesite.com/ with your actual docroot path.


MemberPress does not officially support Nginx as a web-server. However, you may have luck getting your webhost support team to implement one of the following for you.

Nginx as an Apache Proxy

If your webhost uses Nginx as a proxy (in front of) for Apache:

location ~* \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8)$ {
  proxy_pass http://localhost:PORT_HERE;

Note: The PORT_HERE part will need to be changed, your host should know the correct port # for apache.

Nginx as a Standalone Webserver

If you're using only Nginx as the web-server, you might have success with the following location block in your Nginx configuration file:

        location ~* \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8)$ {
                # Setup lock variables
                set $mplk_uri "/wp-content/plugins/memberpress/lock.php";
                set $mplk_file "/var/www/html/wp-content/uploads/mepr/rules/${cookie_mplk}";

                # don't lock the lock uri
                if ($uri ~* "^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)") { break; }

                # redirect if the lock file's a dir or doesn't exist
                if (-d $mplk_file) { rewrite ^ $mplk_uri last; }
                if (!-e $mplk_file) { rewrite ^ $mplk_uri last; }

If the above does not work (especially if you are on Flywheel Cloud Hosting) try the version below instead:

	location ~ ^/wp-content/plugins/memberpress/lock.php { include fastcgi.conf; }<br>
	location ~* \.(zip|gz|tar|rar|doc|docx|xls|xlsx|xlsm|pdf|mp4|m4v|mp3|ts|key|m3u8)$ {<br>
	       # Setup lock variables<br>
       	       set $mplk_uri "/wp-content/plugins/memberpress/lock.php";<br>
	       set $mplk_file "$document_root/wp-content/uploads/mepr/rules/${cookie_mplk}";<br>
	       # don't lock the lock uri<br>
	       if ($uri ~* "^/(wp-admin|wp-includes|wp-content/plugins|wp-content/themes)") { break; }<br>
	       # redirect if the lock file's a dir or doesn't exist<br>
	       if (-d $mplk_file) { rewrite ^ $mplk_uri last; }<br>
	       if (!-e $mplk_file) { rewrite ^ $mplk_uri last; }<br>

Note: You would need to alter the /var/www/html/ portion of the path in the line below, to match the path to your wordpress installation folder

IIS and other web servers

Currently we don't have any supported rules for these web-servers.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.