How to manage access to the WordPress media library

The biggest challenge with the media access control is to protect physical files from direct access. When somebody has a direct link to a file, it can copy & pasted to a browser or fetch with any program that can download files from the remote location. In this article, you’ll learn how can protect/restrict your media assets with the help of free Advanced Access Manager (aka AAM) WordPress plugins.

Let’s assume that you already downloaded and activated AAM plugin so from here there are only a few simple steps that you need to do in order to physically protect your media assets.

Note! This feature is absolutely free and does not require any premium extensions. However, if you need to manage default access to all media or group them by categories, you need to have at least Plus Package premium extension. You can learn more about managing access to your content and media assets from Manage access to the WordPress Posts and Terms article.

Step #1. Restrict physical access to media assets.

The main idea with this step is to redirect all HTTP request for your physical files to AAM access control handlers. This way, AAM, based on current user/visitor can determine if access is allowed or denied.

As of today, we can show you how to configure your Apache or Nginx servers to redirect requests to AAM access control handlers.

Apache Setup
Go to the root of your website and open the .htaccess file. Copy&Paste following configurations in the beginning of the file.

It is very important to insert this config at the beginning of the .htaccess file to eliminate any chance for other redirect rules to suppress AAM rules that manage access to the media assets.

# BEGIN AAM Media Access Control
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_URI} \.(jpg|jpeg|png|svg|gif|ico|pdf|doc|docx|ppt|pptx|pps|ppsx|odt|xls|xlsx|psd)$
    RewriteCond %{REQUEST_URI} wp-content/uploads/(.*)$
    RewriteRule . /index.php?aam-media=1 [L]
# END AAM Media Access Control

NOTE! If your website root is located in subfolder, for example, then adjust RewriteBase / line with RewriteBase /wordpress and RewriteRule . /index.php?aam-media=1 [L] to RewriteRule . /wordpress/index.php?aam-media=1 [L]

This tells to Apache server that if somebody tries to access a physical file directly, then redirect this request to the AAM media manager when access is authorized.

Please also note that AAM explicitly defines what files can be protected based on the list of allowed file extensions. If your website allows to upload additional types of files, feel free to modify above configurations however keep in mind that we do not recommend to protect any files that may be streamed like video or audio files.

Nginx Setup

Note! You need to have AAM v5.9.7.1 or higher for this to work. At the moment of writing this article we still on AAM v5.9.7 however you can already download the release candidate from the official WP repository.

The Nginx server works a slightly different way than Apache when it comes to redirect/rewrite configurations. While Apache dynamically checks for .htaccess files in each directory (folder), Nginx has a configuration file(s) that a loaded once during server startup. This is one of their main claims for being faster than the Apache server.

Depending on a hosting provider, you may/may not have the ability to manage Nginx redirect/rewrite rules, however, the principle is simple – based on the relative location to your media uploads folder, you need to make sure that all requests to physical files are redirected to index.php?aam-media access control handler.

Below is the example of configurations that are identical to the Apache configurations mentioned above. You can change them depending on your specific project needs.

location ~* ^/wp-content/uploads/ {
   rewrite (?i)^(/wp-content/uploads/.*)\.(jpg|jpeg|png|svg|gif|ico|pdf|doc|docx|ppt|pptx|pps|ppsx|odt|xls|xlsx|psd)$ /index.php?aam-media=$1.$2 last;
   return 307;

Step #2. Restrict access to media.

Navigate to AAM page and switch to desired user or role that you want to restrict access for or manage visitors to restrict access for none-authenticated users. Click on Posts & Terms tab. Find the media post that needs to be protected. Check the READ option. This way you are restricting the ability to read, view or download a media asset.

WordPress Media File Protection

Note! If you file is not a part of the Media Library (e.g. you manually uploaded a file to the /wp-content/uploads folder via FTP), then instead of managing access to the file on Posts&Terms tab, use URI Access tab and explicitly define URI to the file. For example, to restrict access to the dissertation.pdf file that was uploaded manually, you just need to create a new entry on the URI Access tab.

WordPress File Access Control

Step #3. Activate media assets protection feature.

By default this feature is disabled so go to AAM page and click on Settings Area. Make sure that “Media Files Access Control” option is enabled.

Note! This functionality has been tested on brand new WordPress installation with all default settings. It might have conflicts with other plugins that are doing similar task. Contact us if it is not working as expected.


Managing access to WordPress media assets and making sure that protected data does not leak to the outside world is crucial for so many businesses. It is also can be challenging for none tech savvy people that is why AAM can be so helpful.

Please note that there are dozens and dozens of different possibilities on how you store your media assets and AAM may not cover them all without so technical assistance. Luckily it is to my best interest to help you with this task so please do not hesitate to send me a message if help is needed. It is absolutely free so you lose nothing.

Get notified about important updates and new features (no more than one email per month).