Protect a user's uploaded files

Note! This policy assumes that you already installed AAM Protected Media Files plugin and configured your server as described in the “How to manage access to the WordPress media library” article.

When any authenticated user (who has privileges to upload files) uploads a new file, WordPress core, automatically, makes this user as the author (owner) of that file. The policy takes this information into consideration and determines if a user has access to the requested file(s).

Note! It is very important to understand who are “others” and you can find more details in the Who are “others” when you manage access to the content article.

For example, if you have 100 users that belong to the Subscriber role and you want to make sure that those 100 users can see and manage only their own files, then attach this policy to the Subscriber role.

By default, when a user will try to view or download any file directly, 401 Unauthorized response will be returned. Any attempts to edit or delete files that do not belong to a user will be denied.

    "Version": "1.0.0",
    "Dependency": {
        "wordpress": ">=5.3.2",
        "advanced-access-manager": ">=6.2.2",
        "aam-protected-media-files": {
            "Name": "AAM Protected Media Files",
            "Version": ">=1.1.4",
            "URL": ""
        "${CONST.AAM_PLUS_PACKAGE}": {
            "Name": "Plus Package",
            "Version": ">=5.2.0",
            "URL": ""
    "Statement": [
            "Effect": "deny",
            "Resource": [
Copy this unique number and use it to install the policy on your website. To learn more how it works, follow this link.
DEPENDENCIES List of required plugins for this policy to work properly.
WordPress >=5.3.2
Advanced Access Manager >=6.2.2
AAM Protected Media Files >=1.1.4
Plus Package >=5.2.0
ASSIGNEES The type of audience the policy is automatically applied to as well as excluded. To learn more how it works, follow this link

This policy does not apply to any role, user or visitors. You need to attach this policy to desired audience manually. Learn more here.