You might have some sections of your WordPress site that are only accessible for your WordPress user. Pretty easy to protect the page or post in WordPress for only the registered user but what about the attachments of the post/page (files, images)?
They won’t be protected by default, this means if a request is made directly to the file it can be accessed without any password. There is potentially the solution where you protect the files in a directory with htaccess password, but do you really want to manage new set of username and password outside or WordPress? Not really.
Here is the solution, use htaccess to check if a user is logged in the WordPress site when accessing the files area, if not then redirect to the WordPress login page. Here is the new .htaccess:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^.*uploads/.*
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule . /wp-login.php?redirect_to=%{REQUEST_URI} [R,L]
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
We simply have protected the whole uploads area and redirect to login if the user is not logged. You can protect a different directory.
Thanks to this support forum thread for the heads up:
http://wordpress.org/support/topic/password-protect-a-whole-directory
Update:
I strongly suggest the use of this plugin:
http://wordpress.org/extend/plugins/custom-upload-dir/
It let’s you set the name of the upload directory, so we can protect not the whole uploads. Because protecting the whole uploads will also