Custom Rule Recipe: Block access to directories under /wp-content/uploads/
For whatever reason, you may want to restrict access to browse certain WordPress directories. The most obvious directory to prevent browsing is /wp-content/uploads/
.
Most web servers, Apache or nginx, provide restrictions for this by default, but sometimes this sort of restriction isn't in-place. You can either reach out to your web hosting provider, or you could use a Custom Security Rule to apply restriction in a way that suits your situation.
In the example outlined in the video below, we setup a rule such that any web request sent to /wp-content/uploads/
is blocked with a message. You can respond however you think is best, but the video is just an example of how to achieve this.
Here are some important points to note about this rule:
- This rule will not impact your site's ability to access images uploaded to your WordPress site. The reason is that if an image file exists on the path specified in the web request, it'll be returned by the server. It is only when the file doesn't exist that WordPress is loaded, and then Shield's Custom Security Rule is applied.
- In our example we simply
die()
, but you may chose to redirect the request, increment the IP offense counter for the visitor, or do any number of things. It's up to you. - Always, always, always test your rules to ensure that they work for your site without interrupting your normal visitor experience or site functionality.