How to manage access to the WordPress media library

The biggest challenge with the media access control is to protect physical files from the direct access. When somebody has direct link to a file, it can be copy & pasted to a browser or fetch with any program that can download files from the remote location. In this article you’ll learn how can protect/restrict your media assets with the help of free Advanced Access Manager (aka AAM) WordPress plugins.

Let’s assume that you already downloaded and activated AAM plugin so from here there are only few simple steps that you need to do in order to physically protect your media assets.

Note! This feature is absolutely free and does not require any premium extensions unless you want to restrict access to all media assets by default and allow access only to few. You can learn more about managing access to your content and media assets from Manage access to the WordPress Posts and Terms article.

Step #1. Restrict physical access to media assets.

Go to the root of your website and open the .htaccess file. Copy&Paste following configurations in the beginning of the file.

It is very important to insert this config in the beginning of the .htaccess file to eliminate any chance for other redirect rules to suppress AAM specific rules that manage access to the media assets.

# BEGIN AAM Media Access Control
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_URI} \.(jpg|jpeg|png|svg|gif|ico|pdf|doc|docx|ppt|pptx|pps|ppsx|odt|xls|xlsx|psd)$
    RewriteCond %{REQUEST_URI} wp-content/uploads/(.*)$
    RewriteRule . /index.php?aam-media=1 [L]
# END AAM Media Access Control

NOTE! If your website root is located in subfolder, for example, then adjust RewriteBase / line with RewriteBase /wordpress and RewriteRule . /index.php?aam-media=1 [L] to RewriteRule . /wordpress/index.php?aam-media=1 [L]

This tells to the Apache server that if somebody tries to access a physical file directly, then redirect this request to the AAM media manager when access is authorized.

Please also note that AAM explicitly defines what files can be protected based on the list of allowed file extensions. If your website allows to upload additional types of files, feel free to modify above configurations however keep in mind that we do not recommend to protect any files that may be streamed like video or audio files.

Step #2. Restrict access to media.

Navigate to AAM page and switch to desired user or role that you want to restrict access for or manage visitors to restrict access for none-authenticated users. Click on Posts & Terms tab. Find the media post that needs to be protected. Check the READ option. This way you are restricting ability to read, view or download a media asset.

WordPress Media File Protection

Note! If you file is not a part of the Media Library (e.g. you manually uploaded a file to the /wp-content/uploads folder via FTP), then instead of managing access to the file on Posts&Terms tab, use URI Access tab and explicitly define URI to the file. For example, to restrict access to the dissertation.pdf file that was uploaded manually, you just need to create a new entry on the URI Access tab.

WordPress File Access Control

Step #3. Activate media assets protection feature.

By default this feature is disabled so go to AAM page and click on Settings Area. Make sure that “Media Files Access Control” option is enabled.

Note! This functionality has been tested on brand new WordPress installation with all default settings. It might have conflicts with other plugins that are doing similar task. Contact us if it is not working as expected.


Managing access to WordPress media assets and making sure that protected data does not leak to the outside world is crucial for so many businesses. It is also can be challenging for none tech savvy people that is why AAM can be so helpful.

Please note that there are dozens and dozens of different possibilities on how you store your media assets and AAM may not cover them all without so technical assistance. Luckily it is to my best interest to help you with this task so please do not hesitate to send me a message if help is needed. It is absolutely free so you loose nothing.

Get notified about important updates and new features (no more than one email per month).