The WordPress core makes it’s easy to password protect posts and pages — a handy feature if you want to easily limit access to certain content. The only problem is that any images or videos you display on those pages can still be accessed by going straight to the media attachment pages.
This can be a real problem if the media files contain important information that you wish to keep behind password-protection. One solution to this problem is to drop WordPress’ support for media attachment pages. If you aren’t actively using attachment pages, then simply dropping them from your site will mean users have to access the password-protected post or page to view the content.
In this post, we’re going to explore two ways to solve this problem. First, we’ll solve the problem with a child theme and a bit of code. Second, we’ll demonstrate how you can solve the problem with a free plugin.
Ready? Let’s get to it.
Let’s say you have created an awesome tutorial. It’s all contained on one page. It includes a couple thousand words of content, one or two short videos, and a handful of illustrative graphics.
This is a just a one-off deal for you, you aren’t setting up shop as an online instructor, so you aren’t interested in installing a complete online course solution like CoursePress Pro. So you just select the option to password protect the page in question and deliver the password in an automated email that goes out whenever someone pays for access to the tutorial.
You’ve found a simple solution that solves the problem without requiring too much effort. Good job.
A few weeks later you realize that you have a problem. Someone shared one of the images from your post on social media using the attachment page URL, and the attachment page can be accessed without entering a password.
What’s worse is that your theme adds links to the attachment page allowing visitors to easily navigate through all of the images you attached to your hidden post. Not awesome.
The good news is that this is a problem you can quickly remedy.
If you’re handy with an FTP client and a text editor, you can quickly solve this problem with a child theme. All you need to do is add a single line of code to image.php and optionally to video.php.
If you take a look at the WordPress template hierarchy you’ll see that the most specific template file you can create for an attachment page is a file named using the format MIME_type.php. This means that if you have images and videos on a password-protected page, and you want to hide the attachment pages for both types of files, you’ll need to edit a different file for each type of media.
Let’s start with image.php. But before you start editing any files, make sure you’re using a child theme.
Once you have a child theme installed and activated, create a blank image.php file on your computer. Now, open it up with your text editor and add the following bit of code to the file:
Save and close the file, and then upload the file to the root directory of your child theme.
Now, when someone attempts to access an image attachment page, the image.php file will load and automatically redirect them to the post associated with that image. Exactly the behavior we’re looking for. Anyone attempting to access the image attachment pages from our password-protected page will be redirected to the password-protected page and have to enter the password to access the page.
To add the same protection to video attachment pages, create a video.php file and add the same bit of code to the file.
That’s a pretty simple trick to hiding attachment pages using code. However, if you’d rather get the job done without using a text editor and FTP client, there is another option.
If you’d rather avoid setting up a child theme and writing (or copying and pasting) even a single line of code, you can also use a plugin to redirect all attachment pages.
Attachment Pages Redirect is a free plugin available at WordPress.org that does exactly what the name suggests. It redirects all attachment pages either to the parent post they are attached to using a 301 (permanent) redirect, or the homepage using a 302 (temporary) redirect if the media isn’t attached to a parent post.
The plugin is active on over 10,000 WordPress websites and has a rating of 4.7 out of 5 stars.
To start using Attachment Pages Redirect go to Plugins > Add New in the WordPress admin area and search for “Attachment Pages Redirect.” Click Install, then click Activate, and you’re done.
No additional configuration is necessary. Visit any attachment page and you’ll find that you are automatically redirected either to the parent post or the site homepage.
Either of the strategies we’ve covered will ensure that users have to use a password to view the images and videos you add to a password-protected post. However, no strategy can fully protect your media assets.
Users with legitimate access to the media content can still scrape your content quite easily in two different ways:
In the end, there’s no way to completely protect media files. The moment you let anyone else access them, you’ve given up an element of control over the content. So keep this caveat in mind anytime you upload content to your website — even password-protecting a post offers only limited protection for your content.
If you absolutely cannot bear to see an image or video stolen and posted in a public forum, don’t upload it to your website.
The built-in password protection feature in WordPress makes it easy to provide limited access to a page or post. However, what it doesn’t do is adequately protect the attachment pages for media displayed on a password-protected page or post.
The solution is quite simple. With just a single line of code you can redirect attachment pages to the parent post, and if you don’t want to write (or copy and paste) even a single line of code, Attachment Pages Redirect will do the work for you.