How to Configure the WordPress Prevent Files and Folder Plugin

1. File Restriction

This feature allows you to restrict the files from the website based on their extension for the website's public users(non-logged-in users).




Follow below steps to configure this feature:



• Write the file extension in the mentioned field which you want to restrict on your website:


• Click Save Settings button.
• Click on the Show Rules button and select the tab corresponding to your server, you will find the required rules there, and update the rules in the corresponding file.

Apache: We need to update the rules in .htaccess file

Nginx: We need to update rules in nginx.config.




2. Protected folder

If you are looking to restrict only some selected files then you can put them in protected folder and selected files will be protected from public access.




Follow below steps to configure this feature:



• Go to the Protected Folder tab in the plugin.


• Click on Choose file -> Select the file to restrict from your system -> Click on Upload.
• The file will be listed in the restricted files list.


• Click on the Show Rules button and select the tab corresponding to your server, you will find the required rules there, update the rules in corresponding file.
• A folder with the name protectedfiles will be created in uploads folder and files in this folder will be restricted from the public user and only logged-in user will be able to access it.
• You can remove files by clicking on Delete button.



3. Uploads Folder Restrictions

This feature allows you to restrict access to the complete uploads folder or any subfolder in the uploads folder. You can also select multiple folders inside the Uploads folder and they all will be restricted from public access.




Follow below steps to configure this feature:



• Go to the Folder Restriction tab in the plugin.


• Click the folders that you want to restrict, you can click on the icon(+) to expand or compress the corresponding folder.


• Click the Save Settings button.
• Click on the Show Rules button and select the tab corresponding to your server, you will find the required rules there, and update the rules in the corresponding file.



4. Custom Folder Restriction

This feature allows you to restrict access to any folder in WordPress instance. You just need to enter the folder name and all the files in that folder will be restricted.




Follow below steps to configure this feature:



• Go to the Folder Restriction tab in the plugin.


• Enter the folder name in WP Custom Folder to restrict: field.



Note: You can assign multiple folders too, just write folder names separated by comma.

• Click the Save Settings button.
• Click on the Show Rules button and select the tab corresponding to your server, you will find the required rules there, and update the rules in the corresponding file.



5. Role-based Folder Restriction

You can use this feature to restrict access to folders based on Wordpress roles. You need to assign a folder name to the role that can access it, then only the user with that role will be able to access that particular folder.




Follow below steps to configure this feature:



• In the plugin, click the Folder Restriction tab. Turn on Role-based Folder Restriction by clicking the toggle button.


• On enabling, the Role base Folder Restriction a section will be opened as shown in the below image.


• Enter the folder names in front of every role such that the particular folders will only be accessed by corresponding roles.



Note: The above settings imply that:

• folder-A will be only accessed by Administrators( Administrator can access any folder in WordPress instance irrespective of roles restriction)
• Folder-B will only be accessed by users with the Editor role, and no other role will be able to access folder-B(except Administrator).
• Folder-C will only be accessed by users with the Author role, and no other role will be able to access folder-C (except Administrator).
• You can also assign multiple folders to a role, just write the folder names separated with comma. For example, if you want Editor to have access to folder-A, folder-B and folder-C then write folder-A, folder-B, folder-C in the field corresponding to Editor.
• Click the Save Settings button.
• Click on the Show Rules button and select the tab corresponding to your server, you will find the required rules there, and update the rules in the corresponding file.



6. User-Based Folder Restriction

You can use this feature to restrict access to certain folders only to certain users.




Follow below steps to configure this feature:



• Go to the Folder Restriction tab in the plugin.


• Click on the toggle button in User base Folder Restriction. On toggling, the User base Folder Restriction section will be enabled.
• Note: Role base Folder Restriction or User base Folder Restriction will not work simultaneously, so make sure only one features is active at a time
• Click on the Show Rules button and select the tab corresponding to your server, you will find the required rules there, and update the rules in the corresponding file.


• Now go to the Users table in the WordPress admin dashboard and Edit profile of the user whom you want to give access to particular folder.


• Scroll down in the user’s profile and you will get a Folder Access section.


• Enter the folders that can only be accessed by the particular user.


• Click on Update User button.



7. Redirection Options

This feature provides multiple redirect options for the file restricted i.e. the user doesn't have the access to a file then they will be redirected to that particular redirect option.




Follow below steps to configure this feature:



• Display Custom Page: If user is not allowed to access any file/folder then you can redirect to any page of your WordPress site. Follow below steps to configure this redirect option:
• Go to the File Restriction tab of the plugin.


• Under the Redirect Option: section: select Display Custom Page.
• Under the Redirect to: section, list of all the pages in your WordPress site will be displayed. Select any page where you want to redirect non-logged in user.
• Click the Save Settings button.
• Click on the Show Rules button and select the tab corresponding to your server, you will find the required rules there, and update the rules in the corresponding file.
• Redirect to WordPress login: This option will redirect a non-logged in user trying to access a restricted file or folder to WordPress login page(wp-login.php). Follow below steps to redirect to WordPress login:
• Go to File Restriction tab of plugin.


• Select Redirect to WordPress login option under Choose Redirect Option:
• Under Redirect to you will get WordPress login.


• Click the Save Settings button.
• Click on the Show Rules button and select the tab corresponding to your server, you will find the required rules there, and update the rules in the corresponding file.
• Redirect to SSO login:This option will redirect non-logged in user trying to access restricted file or folder to IDP login page. If you have configured OAuth SSO plugin then user will be redirect to login page of first configured OAuth/OpenID provider, if you have configured SAML SSO plugin then user will be redirected to login page of first configured IDP. Follow below steps to redirect to SSO login page:
• Go to File Restriction tab of plugin.


• Select Redirect to SSO login option under Choose Redirect Option:
• Under Redirect to option select OAuth SSO login or SAML SSO login based on the SAML/OAuth SSO plugin you're using
• Click the Save Settings button.
• Click on the Show Rules button and select the tab corresponding to your server, you will find the required rules there, and update the rules in the corresponding file.



8. Security Level Base

This feature determines how you want to check whether the user is logged in or not. There are two options available:




Follow below steps to configure this feature:



• Cookie: This will check whether the user is logged in or not based on the login cookie in the browser. This method is less secured comparative to session based security level.
• Session: This will check whether the user is logged in or not based on the active session of the user in the WordPress site server. This is the most secured method.

You can follow the below steps to setup the desired Security level base on your WordPress site:

• Go to File Restriction tab of plugin.


• Under Security Level Base:, select desired option.
• Click the Save Settings button.
• Click on the Show Rules button and select the tab corresponding to your server, you will find the required rules there, and update the rules in the corresponding file.

Server Selection

Make sure you have selected the correct server on which your website is running. Please refer to the following image

Note: For some hosting provider, you might need to communicate with the hosting provider support to update the rules in nginx.config. Please make sure that your hosting provider is ready to upload the rules. Same is valid for all the plugin features.