WordPress保护文件(如果未登录) [英] Wordpress protect file if not logged in

问题描述

过去，当用户未使用以下代码登录时，我已经保护了PDFS:

I've in the past protected PDFS when a user is not logged in using the following code :

RewriteCond %{REQUEST_FILENAME} ^.*(pdf)$
 RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
 RewriteRule . - [R=403,L]

由于某种原因，它不再对我起作用.研究表明，也许wordpress-logged_in不再相关，因为它是一个黑客漏洞.如果用户未登录，是否有另一种解决方案来保护PDF文档?

For some reason it quit working on me. Research has shown that maybe wordpress-logged_in is no longer relevant as it was a hacking hole. Is there an alternative solution for protecting PDF documents if a user is not logged in?

如果您愿意，这些pdf不会嵌入页面中，而是热链接".我不是在寻找膨胀的插件.只是专门保护PDF的解决方案.

These pdfs are not embedded on a page rather "hot linked" if you will. I'm not looking for a bloated plugin. Just a solution to protect PDF's specifically.

下面是我的完整htaccess.

Below is my full htaccess.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /new/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /new/index.php [L]
</IfModule>

# END WordPress


RewriteCond %{REQUEST_FILENAME} ^.*(pdf)$
RewriteRule ^(.*)$ /wp-content/download-protect.php?file=$1 [L]

# disable directory browsing in WordPress
 Options -Indexes

# protect wp-config.php
 <files wp-config.php>
order allow,deny
deny from all
</files>

#  Protect .htaccess
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

推荐答案

这是比您的解决方案稍重的解决方案，但是恕我直言，它仍然比某些超级保护PDF" Wordpress插件要好

This is a slightly heavier solution than yours, but IMHO it is still better than some 'Super Protect Your PDFs' Wordpress plugin

您要做的只是将download.php文件放在WP安装中的某个位置(例如wp-content文件夹).然后，您必须将所有请求重定向到PDF文件，这些文件将传递到download.php脚本.它包含一些基本的WP内容，因此您可以使用WP函数，例如is_user_logged_in()

All you have to do is place download.php file somewhere in your WP installation (for example wp-content folder). Then you have to redirect all the requests to PDF files will be passed to download.php script. It includes some basic WP stuff so you can use WP functions, such as is_user_logged_in()

.htaccess

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} ^.*(pdf)$
RewriteRule ^(.*)$ /wp-content/download.php?file=$1 [L]

download.php

require_once('/path/to/wp-config.php');
require_once('/path/to/wp-includes/wp-db.php');
require_once('/path/to/wp-includes/pluggable.php');

if (!is_user_logged_in()) {
    // redirect to login page or show the message + login form
    die; // or exit, wp_redirect etc
}

header("Content-Type: application/octet-stream");

$file = $_GET["file"] .".pdf";
header("Content-Disposition: attachment; filename=" . urlencode($file));   
header("Content-Type: application/octet-stream");
header("Content-Type: application/download");
header("Content-Description: File Transfer");            
header("Content-Length: " . filesize($file));
flush(); // this doesn't really matter.
$fp = fopen($file, "r");
while (!feof($fp))
{
    echo fread($fp, 65536);
    flush(); // this is essential for large downloads
} 
fclose($fp); 

这篇关于WordPress保护文件(如果未登录)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！