php – Is htaccess protection for images secure enough?


Let’s suppose I want to intercept all public traffic trying to reach any image under the /wp-content/uploads folder.

All those requests should be processed by a PHP script in a file called for example secure-view.php living inside the uploads folder.

I would put something like the following into an .htaccess file inside the uploads folder:

RewriteRule ^(.+).(png|jpg|gif)$   secure-view.php?file=$1.$2 [NC,L]

Now, inside the secure-view.php file I can do whatever I want, like checking if the visitor is logged in and does have permission to see the matched file.

Then I can display the actual image or an error.

I wonder if I can rely on such a security measure for images containing sensitive data. In this case it would be pictures of the person in underwear (for a fitness coaching plan).

An alternative would be to upload those images to a folder above the document root, so that they can only be loaded via PHP. But if the proposed method is fine enough, I would like to stick to it to also use the benefits of the WP Media Gallery and the builtin media upload API.

Alvaro Franz 6 months 2021-05-27T07:10:21-05:00 0 Answers 0 views 0

Leave an answer