Background of my problem: I'd like to mask external download links as internal links and to be only accessible by logged-in wp users at htaccess level or with PHP script but when redirection happens the visitor outside of wordpress can still access download links by pasting direct url into browser bar.

I've tried this code for redirection to external link.

Redirect 301 /resources 

Before accessing that direct download link (ourwebsite/resources) a script must be like man in the middle and check if the visitor is logged into wordpress.

I'd like to change where the redirect goes have it go to a PHP page where you may load WordPress and check the role of the user to make sure they are logged in.

require('../wp-load.php');  // modify to reflect where your PHP file is in relation to Wordpress
$roles = wp_get_current_user()->roles;  // get current users role

if (!in_array('alloweduserrole',$roles)) {  // modify to match your roles that are allowed to download

    header('Location: /');
    exit;

}  // end of if user does not have the proper role

The above code can be developed with a simple php checking script. But don't know how to implement and which code to change.

Background of my problem: I'd like to mask external download links as internal links and to be only accessible by logged-in wp users at htaccess level or with PHP script but when redirection happens the visitor outside of wordpress can still access download links by pasting direct url into browser bar.

I've tried this code for redirection to external link.

Redirect 301 /resources https://external/direct-download-link1

Before accessing that direct download link (ourwebsite/resources) a script must be like man in the middle and check if the visitor is logged into wordpress.

I'd like to change where the redirect goes have it go to a PHP page where you may load WordPress and check the role of the user to make sure they are logged in.

require('../wp-load.php');  // modify to reflect where your PHP file is in relation to Wordpress
$roles = wp_get_current_user()->roles;  // get current users role

if (!in_array('alloweduserrole',$roles)) {  // modify to match your roles that are allowed to download

    header('Location: http://www.ourwebsite/');
    exit;

}  // end of if user does not have the proper role

The above code can be developed with a simple php checking script. But don't know how to implement and which code to change.

• php
• javascript
• urls
• htaccess
• html

• If your site is www.example, your htaccess rule can't specify a redirect for a request for www.anotherdomain . If there is a link in your example site for anotherdomain site, clicking on that link will not perform any request to your example site. The visitor will 'leave the building' and you can't do anything about what they do when they click that link. – Rick Hellewell Commented May 14, 2019 at 18:00
• Are you trying to stop someone typing https://external/direct-download-link1 into the browser and successfully downloading, or trying to stop someone typing your redirect URL into the browser and being redirected? – Andrew Leach Commented May 14, 2019 at 22:00
• @AndrewLeach trying to stop both if they are not logged into wordpress. – diladadufe Commented May 16, 2019 at 6:22

2 Answers 2

You can't "redirect" to the external site in .htaccess - there is no way for your script to do the "MITM" bit to check their credentials.

Instead, you would need to internally rewrite the request to your PHP script (in .htaccess). Your PHP script then checks that the user is logged in, etc. as you are doing and then your PHP script issues the appropriate redirect - in the same way your script is currently redirecting back to your own site when authentication fails (although arguably that should be a 403 instead).

For example, before the WordPress front-controller:

RewriteEngine On

RewriteRule ^resources$ /php-authentication-script.php [L]

The above will internally rewrite any request for /resources to your /php-authentication-script.php. The URL in the browsers address bar remains as /resources, until your PHP script issues the redirect.

The way I do this is to use .htaccess to check for the existence of WordPress's logged-in cookie and redirect requests which do not have it to a particular page. The .htaccess file should go within your /resources directory so it only applies to that folder and any subfolders. This is the relevant part:

Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !PHPSESSID= [OR]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_xxxxxxxxxx=
RewriteRule .* https://example/members-information [L]

This will redirect any requests which it handles (requests to /resources or destinations within /resources which don't include the cookie) somewhere else: in my case it goes to my members-information page which contains details of how to join.

Note that xxxx changes for each installation: you'll need to examine your cookies to find out which value your site uses.

Note too that this is as secure as I need it to be! While cookies should be exchanged only with the site to which they're associated, they can be spoofed.

This will cater for requests which attempt to reach /resources.

You can do nothing about people who type the external address into their browser: you don't control requests to that domain. You can't stop me typing wordpress.stackexhange into my browser or intercept requests which go there. The only way this can happen is with the co-operation of the external site owner who can incorporate checks on the referrer passed with the GET request to check that the request comes via your site — it could only come via your site if they are logged into your site and can see the link — but again the HTTP_REFERER header can be spoofed.