PTP Private Media

PTP Private Media gives you full control over who can access your WordPress media files. Stop search engines, bots, and unauthorised visitors from downloading your protected images, PDFs, videos, or documents.

Author: Umang Prajapati | WordPress Profile | GitHub

Core Features

🔐 Media Protection System
* Prevent direct URL access to files in /wp-content/uploads/
* Files are served through a secure PHP handler, not exposed directly
* Automatic .htaccess rules block direct file access on Apache servers
* Guidance provided for Nginx configurations

👥 Fine-Grained Access Control
Set a protection level for every file in the Media Library:

• Public – standard WordPress behaviour
• Logged-in users only – any authenticated user
• Specific roles – choose from all registered WordPress roles (Admin, Editor, Subscriber, etc.)
• Password protected – custom password per file
• Restrict to posts/pages – only accessible when referred from specific content

🔗 Secure File Delivery
* Replace original media URLs with HMAC-signed, time-limited token URLs
* Format: example.com/ptp-restricted-media/{file-id}/{token}/
* Configurable token expiry (default: 1 hour)
* Hotlink protection prevents embedding on external domains
* Optional IP-address binding for tokens

🚫 SEO & Indexing Protection
* X-Robots-Tag: noindex, nofollow header on all protected file requests
* Optional Disallow entries in robots.txt for the uploads directory
* Disable and redirect WordPress media attachment pages
* wp_robots API integration for attachment pages

📂 Media Library Integration
* Protection Settings panel on every attachment edit screen
* Protection status column (Protected / Public / Password / Role) in list view
* Bulk Actions: protect multiple files, change access rules, make public

⚡ Performance
* Chunked streaming with HTTP Range support for large video/audio files
* Configurable file-size threshold for streaming vs. single-pass delivery
* Object cache support with cache invalidation on settings change
* Scheduled cleanup of expired tokens and old access logs

🛡️ Security
* HMAC-SHA256 signed tokens using WordPress secret keys
* Nonce verification on all AJAX requests and form actions
* All input sanitized and output escaped per WordPress standards
* No direct file inclusion; ABSPATH check on every file
* Clean uninstall via uninstall.php

Nginx Support

While .htaccess rules are written automatically for Apache, the plugin provides the correct Nginx configuration block in the admin dashboard for manual setup.

WooCommerce Compatibility

The access control system is designed to work alongside WooCommerce. Future versions will include native purchase-based access checks.