Protect WordPress Uploads


Protect WordPress Uploads is a simple and easy way to protect WordPress uploads.

Seamlessly integrated, you can easily protect your WordPress uploads by just one single click. Once protected, they cannot be accessed directly through their original, unprotected links (URLs). Unwanted users will be redirected.


  • Unlimited protected WordPess Uploads.
  • Files are not indexed in Google or any other search engine.
  • Filter by private uploaded files in the Media Library.
  • Works with Apache and NGINX.
  • Easy upload, protect and unprotect your WordPress Uploads.
  • ACF-filter available.
  • Available in 7 languages and counting.

Upcoming features June 2020

  • File encryption & file decryption.
  • Protection by role.
  • Protection by user.
  • Frontend download button shortcode & Gutenberg block.
  • Frontend files library shortcode.
  • Download slug customization.
  • Available in 10+ languages.

Available languages

  • English
  • Spanish (thanks to @yordansoares)
  • Russian
  • Japanese (thanks to @nao)
  • Dutch

From within WordPress

  1. Visit ‘Plugins > Add New’
  2. Search for ‘Protect WordPress Uploads’
  3. Activate ‘Protect WordPress Uploads’ from your Plugins page.
  4. Go to “after activation” below.


  1. Upload the ‘wp-private-media’ folder to the ‘/wp-content/plugins/’ directory
  2. Activate the ‘Protect WordPress Uploads’ plugin through the ‘Plugins’ menu in WordPress
  3. Go to “after activation” below.

After activation

  1. You should see the menu item ‘Protect WP Files’ in the admin menu.
  2. On the wp-admin/upload.php page, you should see an extra admin column called URL.


  1. If you use NGINX as WEBSERVER, add a rewrite to your NGINX config file. Look into the folder _rewrites for an example.


For more information on how to use the filters please go to the plugin explanation page

Plugin / Theme Support


  • Protect WordPress Uploads introduction.
  • Upload a protected upload.
  • Filter by protected uploads.
  • Download restriction screen.
  • Attachment copy protected link.


If there are any questions please don’t hesitate to send them to

How can I control which role can upload protected files?

We added a capability ‘manage_pwpf_files’. You can assign this capability to any role in WordPress by using a roles & capabilities plugin.

If the file is protected is it possible to unprotect?

Yes, there is an option to unprotect files. The file will be moved to the public wp-uploads/ folder.

Can everyone download protected files?

No, only logged in users can download files.

Is there a role restriction who can and who cannot download?

Currently, all users with any role could download protected files.

Is the file encrypted?

No, not yet but we are working on that.


Ogwekkumi (Mukulukusa) 8, 2020
Love this little plugin, thank you! It's simple, yet very effective, very good integration, no unnecessary bells and whistles, easy to use and explain to webmasters. The info page says the plugin is compatibel to: 5.4.2. But on my 5.5.1 it seems to still work just fine. PS. Add a donate button, this plugin deserves it.
Read all 2 reviews

Contributors & Developers

“Protect WordPress Uploads” is open source software. The following people have contributed to this plugin.


“Protect WordPress Uploads” has been translated into 6 locales. Thank you to the translators for their contributions.

Translate “Protect WordPress Uploads” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.


  • Update, settings page, linkback url added for protection message.
  • Small warning fix in PWPF_url_by_slug() function, thanks to @mreisphotography.

  • Fix for slug for backend grid view thumbs.

  • Fix for slug for backend thumbs.


  • Grid and List view thumbnails added.
  • Settings page added to change the protection message.
  • Changed the wp-admin upload icon to SVG.
  • Fix for downloading large files PWPF_handle_private_download().
  • Fix remove image sizes in the private folder after unprotect the file.


  • Small fix on a translation, wrong text domain


  • Changed site_url() to get_bloginfo(‘url’).
  • Small code changes in pwpf-messages.php.
  • Added media library filter to filter by protected uploads.
  • Added support page.
  • Some changes on the wizard page.
  • Moved wizard template from function to admin-templates folder.


Added unprotect function.


Capability “manage_pwpf_files” moved to init.


Capability “manage_pwpf_files” added.


Small fix for the introduction page.


Updated the upload UX/UI design with upload progressbar.
Added upload-check for supported WordPress mimetypes.
Added introduction page.
Moved js/css to assets folders.


Added Dutch Translation.


Fixed small bug in ACF support filter.


ACF support with upload filter.


Small bug fix for filter – private_media_url_by_array.
It always returned the file url when using the filter without checking if the file is protected or not.


Small bug fix for remove _nginx message in admin.


First realease on May 17th, 2019