How to manage access to the WordPress media library

Note! The tutorial is applicable to AAM 6.0.4 or higher and AAM Protected Media Files 1.0.0 or higher. Both plugins are free. AAM plugin can be downloaded from the Official WordPress Plugin Repository as well as AAM Protected Media Files.

The biggest challenge with the media access control is to protect physical files from direct access. When somebody has a direct link to a file, it can copy & pasted to a browser or fetch with any program that can download files from the remote location. In this article, you’ll learn how can protect/restrict your media assets with the help of free Advanced Access Manager (aka AAM) WordPress plugins.

FYI! This feature is absolutely free and does not require any premium add-ons. However, if you need to manage default access to all media or group them by categories, you need to have at least Plus Package premium add-on. You can learn more about managing access to your content and media assets from Manage access to the WordPress Posts and Terms article.

Step #1. Restrict Physical Access to Files.

The main idea with this step is to redirect all HTTP requests to the physical files to AAM access control handlers. This way, AAM, based on current user/visitor can determine if access is allowed or denied.

Note! We deliberately, excluded functionality that automatically modifies server configurations so you can be 100% aware of the changes that are introduced with physical file access protection.

As of today, we can show you how to configure Apache or Nginx servers to redirect requests to AAM access control handlers.

Apache Setup
Go to the root of your website and open the .htaccess file. Copy&Paste following configurations in the beginning of the file.

It is very important to insert this config at the beginning of the .htaccess file to eliminate any chance for other redirect rules to suppress AAM rules that manage access to the media assets.

# BEGIN AAM Media Access Control
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_URI} wp-content/uploads/(.*)$
    RewriteRule . /index.php?aam-media=1 [L]
# END AAM Media Access Control

NOTE! If your website root is located in subfolder, for example, then adjust RewriteBase and RewriteRule rules as following:

# BEGIN AAM Media Access Control
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /wordpress
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_URI} wp-content/uploads/(.*)$
    RewriteRule . /wordpress/index.php?aam-media=1 [L]
# END AAM Media Access Control

This tells to Apache server that if somebody tries to access a physical file directly, then redirect this request to the AAM media manager where access is authorized.

Nginx Setup
The Nginx server works in a slightly different way than Apache when it comes to redirect/rewrite configurations. While Apache dynamically checks for .htaccess files in each directory (folder), Nginx has a configuration file(s) that a loaded once during server startup. This is one of their main claims for being faster than the Apache server.

Depending on a hosting provider, you may/may not have the ability to manage Nginx redirect/rewrite rules, however, the principle is simple – based on the relative location to your media uploads folder, you need to make sure that all requests to physical files are redirected to index.php?aam-media access control handler.

Below is the example of configurations that are identical to the Apache configurations mentioned above. You can change them depending on your specific project needs.

location ~* ^/wp-content/uploads/ {
   rewrite (?i)^(/wp-content/uploads/.*)$ /index.php?aam-media=$1 last;
   return 307;

Note! AAM explicitly checks what files can be protected based on the list of allowed file extensions. Also, any files that are outside of the WP uploads folder are not served.

Step #2. Manage Access To Files with AAM UI.

Navigate to the AAM page and switch to the desired user, role or manage visitors to restrict access for none-authenticated users. Select on Posts & Terms tab. Then find the media attachment that needs to be protected. Check the RESTRICTED option. This way you are restricting the ability to read, view or download a media attachment.

WordPress Protected Media File

As an option, you can manage access to any individual media attachment while editing it in the Media Library. AAM renders additional metabox for that (this metabox can be disabled with Render Access Manager Metabox option).

WordPress WordPress Media Files

If file is not a part of the Media Library (e.g. you manually uploaded this file to the /wp-content/uploads folder via FTP), then instead of managing access to the file on Posts & Terms tab, use URI Access tab and explicitly define URI to the file. For example, to restrict access to the dissertation.pdf file that was uploaded manually, you just need to create a new entry on the URI Access tab.

WordPress File Access Control


Managing access to WordPress media assets and making sure that protected data does not leak to the outside world is crucial for so many businesses. It is also can be challenging for none tech savvy people that is why AAM can be so helpful.

Please note that there are dozens and dozens of different possibilities on how you store your media assets and AAM may not cover them all without so technical assistance. It is in our best interest to help you with this task so please do not hesitate to send us a message if help is needed. It is absolutely free so you lose nothing.

Get notified about important updates and new features (no more than one email per month).