Protecting Downloadable PDF Files in WooCommerce for Logged-In Customers

In a recent Business Bloomer Club Slack thread, WooCommerce store owners discussed ways to secure downloadable PDFs stored in the Media Library, aiming to restrict access to logged-in users who purchased the files.

While some accepted the reality that determined users can often find ways around restrictions, several solutions offer improved security to protect digital downloads.

Solution 1: Use a Prevent Direct Access Plugin

For non-technical solutions, the Prevent Direct Access plugin can secure files in the Media Library, preventing direct access unless specific permissions are met.

  1. Install Prevent Direct Access: This plugin blocks public access to specific files, ensuring only logged-in users or specific customer roles can access them.
  2. Configure Settings: Set up access controls for each product file, allowing only verified buyers to access the download links.

Link: Prevent Direct Access

  • Pros: Simple to implement, ideal for small to medium-sized files.
  • Cons: May require customization for large files.

Solution 2: Store Files Outside the Media Library with .htaccess Rules (Apache Only)

For those on an Apache server, moving files outside the Media Library and securing access with .htaccess can be effective.

  1. Place PDFs Outside the Media Library: Store files in a custom directory.
  2. Configure .htaccess: Use .htaccess rules to restrict access to logged-in users only, blocking all other attempts. Example .htaccess:
   <Files *.pdf>
       Require valid-user
       AuthType Basic
       AuthName "Restricted Access"
   </Files>
  • Pros: Effective for smaller files, no plugin needed.
  • Cons: Not compatible with Nginx and can impact performance for large files.

Solution 3: Amazon S3 and Signed URLs

Amazon S3 with signed URLs offers scalable file protection, making it suitable for larger sites and file sizes.

  1. Upload PDFs to S3: Store files in an S3 bucket with restricted permissions.
  2. Generate Signed URLs: Use signed URLs to allow temporary access for verified buyers only.
  • Pros: Scalable and ideal for large files.
  • Cons: May require developer expertise and Amazon Web Services (AWS) setup.

Solution 4: Redirect Access with Custom PHP and WooCommerce Hooks

To manage access directly in WooCommerce, create a custom function that checks if the user is logged in and has purchased the product. If not, redirect them to the login or product page.

  1. Use WooCommerce Hooks: Hook into WooCommerce’s functions to verify user permissions before serving the file.
  2. Redirect Unauthorized Users: Implement a redirect for users without access. Example PHP code:
   add_action( 'template_redirect', 'redirect_unauthorized_users' );
   function redirect_unauthorized_users() {
       if ( is_singular('product') && !is_user_logged_in() ) {
           wp_redirect( wp_login_url( get_permalink() ) );
           exit;
       }
   }
  • Pros: Highly customizable, no extra plugins required.
  • Cons: Requires some coding knowledge.

Conclusion

To secure WooCommerce digital downloads, options range from plugins like Prevent Direct Access for simplicity, to Amazon S3 for high scalability, and custom code for tailored solutions. Each method helps protect digital assets while maintaining a smooth user experience.

Related content

Rodolfo Melogli

Business Bloomer Founder

Author, WooCommerce expert and WordCamp speaker, Rodolfo has worked as an independent WooCommerce freelancer since 2011. His goal is to help entrepreneurs and developers overcome their WooCommerce nightmares. Rodolfo loves travelling, chasing tennis & soccer balls and, of course, wood fired oven pizza. Follow @rmelogli

Reply

Your email address will not be published. Required fields are marked *