Chances are you’re using a lot of files in the media library of your WordPress website. But what if you want to protect your WordPress media files? Enter Prevent Direct Access, a plugin for protecting your files in your WordPress media library.
In this Prevent Direct Access Review, I will walk through Prevent Direct Access (if you don’t mind, let’s call it PDA) and Prevent Direct Access Gold (the extension for PDA).
And did you know all the files you upload in WordPress, are publicly accessible? They are even indexed by search engines. Now in many cases, this won’t bother you. But what if you want to make your newest e-book available, but keep it still protected? Or limit files to logged-in users only?
For these kinds of scenarios, the Prevent Direct Access plugin is an excellent solution. A plugin that protects the files in your media library. So can WordPress protect media files in the proper way using this plugin?
In this review, you will see if it is actually a good WordPress plugin for protecting files and how it exactly works.
I’m lazy too! What do you need to know from this Prevent Direct access review?
- Prevent Direct Access is the WordPress plugin for protecting WordPress files from your media library. Typical files in your library are images, PDFs, office files such as Powerpoint and Word documents and sometimes ZIP files.
- Prevent direct access can limit the access of your files to certain users or user roles, to a restricted number of downloads, an expiration date and also encrypt files to even enhance security more.
- Prevent Direct Access has lifetime pricing, making it a cost-efficient investment. Their monthly subscription is on the expensive side.
- Prevent Direct Access has many integrations and extensions and works seamlessly with membership plugins.
Prevent Direct Access FAQs
But before I enter into the depth of this Prevent Direct Access review, let’s briefly answer a few questions you may have about PDA.
What does Prevent Direct Access do?
It shields the files in your media library from users that are not logged in, for users in certain roles (users can have various permissions in WordPress), or provides unique downloads links to any visitors with certain limits.
What happens if someone visits a protected file or image?
If the visitor is allowed to see the file or image, it will show up. Otherwise, the visitor will see the default 404-page (the not-found page) of your site.
Does Prevent Direct Access work with my hosting company?
Prevent Direct Access works with the many hosting companies such as Kinsta, Cloudways, WP Engine, Liquid Web, Flywheel, and Siteground. In some cases, you may need to do some modifications to your site. Visit the documentation of PDA for more information.
How expensive is Prevent Direct Access Gold?
Prevent Direct Access Gold starts from $14.90 a month. More details can be found in pricing.
How does Prevent Direct Access work?
Prevent Direct Access places your uploaded files in a special folder. Subsequently, it protects any file in this folder by redirecting these files to a piece of code that checks if you are allowed to view this file.
Prevent Direct Access Review Procedure:
If you’ve read one of my other reviews, you know that I review on the following criteria:
- Features: the features offered
- Usability: is it easy to use?
- Performance: does it make your website slow or not?
- Support: what if something goes wrong?
- Pricing: do you get a good value for what you pay?
In this Prevent direct Access review, you will find these five criteria discussed. This review is part of a larger series of reviews, where I compare WordPress plugins and see if they are any good.
The features of Prevent Direct Access
Prevent Direct Access has the essential features you need for WordPress file and media protection, including role-based protection, download links and plugin integrations.
In short, it limits access to files from your media library to certain visitors.
These features are included in the free version of the plugin, available in the WordPress plugin repository.
- Protect up to 9 files
- One download link
- Manual block search engines from indexing
- Prevent hotlinking (other websites using your images)
- Disable directory listing
- Only works on the Apache webserver, a type of server
These features are included in the paid plugin:
- Protect unlimited files and file types
- Block search engines from indexing
- Auto-protection of new files
- Filtering of protected and unprotected files in the media library
- Search and replace for unprotected URLs (which makes it very easy to replace older, unprotected files)
- Custom “no access” page (the page that visitors see when viewing a prohibited file)
- Unlimited download links with customization and limits based on downloads, IP addresses, or expiration
- Custom access for certain user roles
- Can hide your WordPress version and sensitive file access
- Shortcodes to display your protected files
- Works on all server types
- Supports paid extensions (listed below)
To get a real grasp of how all these features works, look into the section for usability which will show a couple of screens (or watch the video).
Integrations and Extensions
There are many paid extensions available for PDA. Prevent Direct Access has the following extensions:
|Membership Plugin Integration||Integrates PDA with membership plugins such as Simple membership, User Acces Manager, Paid Membership Pro, WooCommerce Memberships, etc.|
|Amazon S3 Uploads||Synchronizes and offloads protected files to Amazon S3|
|File Access Restriction & Folder Protection||Restrict access to certain user roles, custom members or certain folders.|
|Protect WordPress Video & Audio||Protect video and audio files|
|Protect WordPress Pages, Posts & Post Types||Protect and expire your pages and posts|
|Watermark WordPress files||Watermark your files|
|Private Magic Links||Update private links in your content automatically|
|WooCommerce Integration||Integrate private magic links with Woocommerce email|
|Contact Forms Integration||Protect file-uploads in contact form plugins|
|LearnDash Integration||Restrict LearnDash modules to enrolled students|
|Advanced Custom Fields Integration||Protect files through upload fields in ACF|
|ActiveCampaign Integration||Integrate private links in ActiveCampaign|
|Campaign Monitor Integration||Integrate private links in Campaign Monitor|
|Mailchimp Integration||Send customers an expiring product download link|
|Dropbox Integration||Protect WooCommerce products stored in dropbox|
|Paypal Integration||Send customers an expiring product download link after PayPal purchase|
|AffiliateWP & Sendowl Integration||Connect SendOwl products with AffiliateWP|
|WordPress Multisite Integration (free with Pro subscription)||Make PDA work with WordPress multisite|
|WordPress Robots.txt Integration||Make PDA work with the regular robots.txt file|
|PDA Gold Statistics (free with Pro subscription)||Get download statistics for your files|
By default, PDA already works with membership plugins such as Ultimate Members and WP-Members.
There is no such thing as Prevent Direct Access
While there are many plugins that can help in limiting access to certain content in WordPress, there are just a few plugins that do file protection properly: Prevent Direct Access, WordPress Download Manager, Content Control, Protect WordPress Uploads and Prevent Files / Folder Access (if you find another plugin that does it well, please let me know).
Easy Digital Downloads and WooCommerce can protect digital files, but do not offer easy solutions for protecting all files in your media library. Other plugins such as WP Private Content, Restrict User Access, or User Access Manager can protect attachments, content, pages, posts and such but do not have quick solutions for protecting files from your media library directly.
In that sense, Prevent Direct Access is unique and in my opinion one of the best plugins for directly securing files with control over what kinds of users can see your files and the encryption of files.
Of course, you can also roll out server-side solutions and thus limit file access. Some examples are changing your Nginx configuration files or .htaccess files or extending existing plugins with custom programming, but that will take a lot of time and technical experience.
Prevent Direct Access Review: Using the Plugin
Prevent Direct Access is easy to use, even if you use it the first time.
How do I use Prevent Direct Access?
Using Prevent Direct Access is easy. Go to the Plugins section of your WordPress dashboard, and click ‘Add New Plugin’ and search for Prevent Direct Access. Add the plugin.
Optionally, buy Prevent Direct Access Gold if you need advanced features and protection of many files. After purchasing, upload the file that you received after the purchase on your WordPress website.
In your dashboard, under Prevent Direct Access Gold, go to license and add your license. You can now do what is described in the following sections.
Managing File Permissions
If you head over to your media library, upload any file you need to protect. You will see a similar screen:
Protection is as easy as switching the button, after which you have your file protected (by clicking “Configure file protection”). After clicking on this link, a pop-up will open with the following settings:
Also, only users with the role you indicated can view or download this file:
It’s also possible to encrypt this file, which makes it impossible to view this file as an unauthorized user even if you manage to access it.
On the below screen, you can also add temporary download links. These links are accessible to anyone, so not really protected, but can have some limits (such as a maximum number of downloads or an expiry date). After you have added this link, it will appear in the first tab of the above screen (which may be a bit confusing).
When using the bulk editor of WordPress, it’s also possible to protect many files in one go.
At last, there are a couple of general settings that are worth mentioning.
I won’t go into detail for each option as the image is pretty self-explanatory, but as you can see the settings are all clearly grouped and have very clear switches. It’s also good that each setting is explained.
It’s also possible to block certain IP addresses from accessing files, as shown on the screen above.
As you can see from these screens, the settings screen is very straightforward and PDA Gold is very easy to use.
Onboarding: the walkthrough
And if you want to be taken by hand, there is even a walkthrough that will guide you through the whole plugin step by step. Amazing!
Uh-oh! A user experience no-go.
The only odd thing I found is their pricing page (which is not a part of the plugin, but it’s funny enough to mention). When you enter their pricing page, all the links on the top of the page (the menu items) do disappear.
This probably makes it easier for users to be focused on the pricing plans and increase conversion (the number of people that visit the page versus the number that actually buy the plugin). However, it’s also a questionable practice from a user experience perspective (it’s a good practice to keep site navigation always visible).
Performance Considerations of Prevent Direct Access
Prevent Direct Access is a relatively lightweight plugin. The only drawback is that it needs to check for protected files or images when someone visits such a file or image. That may have some influence on the loading speed of a website. But don’t worry, this shouldn’t bring your site down.
Limited resource usage: PDA is lightweight
One of the aspects I test with performance is the so-called ‘heaviness’ of a plugin. The idea is simple, if you have a WordPress website, it is hosted on a server and it subsequently, requires some resources from this server. Adding a plugin usually increases the number of resources that are required from the server (albeit by a tiny margin)
What I test is how much memory and how many queries a plugin adds. This gives a good insight into the ‘weight’ of a WordPress plugin.
On the back-end, PDA only requires 800kbs of additional memory and at most adds 10 queries. This is excellent and I can say PDA is truly lightweight. The Gold version (the professional version of PDA) adds the most weight but offers a lot of additional features.
Also, the plugin is doing well in the so-called P3 performance profiling test.
Only protected files are handled
Another aspect is that PDA only handles your protected files, and ignores unprotected files. In other words, the code of PDA is written in such a way that it doesn’t affect the unprotected files you have. As a consequence, performance is a lot better. A lot better than some other plugins that do it the other way around.
(Older versions of PDA used to have a different set-up, which resulted in very poor performance).
Almost no front-end bloat
Another great fact is that Prevent Direct Access does not add any unnecessary bloat to the front-end of your WordPress website. It only interacts with the front-end on locations where protected images, files or media appear.
Of course, this makes a lot of sense for an access plugin, but you don’t want to know what plugins sometimes add in the most unnecessary places.
Some security considerations
Prevent Direct Access uses the WordPress REST API to perform a lot of its actions. It’s outside of the scope of this review to explain what a REST API is. But basically, it is a way to perform actions using URLs. One drawback is that this API is exposed to the public, meaning that everyone can see how this API is configured. Luckily, that doesn’t mean that anyone can use this API, as you still need to be logged in as an authorized user. In some cases, however, it might be a security risk.
So, I did some poking around to see if there would be any easy loophole in the mentioned API, but everything seems to be shielded off properly. One way in which the plugin could influence the performance of your site is if someone is to hammer these so-called endpoints with lots of visits. But if that happens you have a problem anyways.
One of the drawbacks I found in the documentation is a known error with the plugin that when you have protected many files (over 10.000 files) and deactivate a plugin, it may trigger a timeout error. Apart from that, the impact of the plugin on performance doesn’t seem to be staggering.
Another drawback is that a lot of hosting companies use a technique called caching to speed up your websites. Sometimes you have to configure this yourself, and sometimes this is taken care of by the hosting (or a combination of the two). In many cases, Prevent Direct Access does not work well with caching, but their documentation gives ample details on how to fix these issues.
At last, images and files that are protected and appear on the front-end of your site may load slower. That’s because PDA needs to check if you (as a visitor) have the right permissions to view this file. If you have many visitors that need to view protected files (or files available through a download link), this may impact performance.
Troubleshooting Prevent Direct Access: the Support
I had an excellent experience with the support, the support available on live-chat answered within one minute and the email was answered within 2 hours. The knowledge level of support is also good.
Live chat and ticket/form support
PDA is offering two ways of support, via Live chat and tickets. Although I believe the scope of support on live chat is limited and it’s also used for sales (premium users are directed towards the support form), they still answer questions rapidly.
I answered a couple of technical questions and they were all answered satisfactory, indicating a proper knowledge level.
One thing I don’t like about the support is the premium support form, it’s really long and you have to add a lot of details. I do understand why they are doing that because they probably want to rule out dumb users and everything that is not really an issue. However, it makes contact the support a petite hurdle.
Great documentation and FAQs
One thing that is outstanding for Direct Prevent Access is its excellent documentation. Besides articles concerning the plugin itself, they have many documents that talk about how to integrate PDA with a certain other plugin or how to make it work with the majority of the hosting providers.
Another thing I like is that PDA has a dedicated section on their site for feature requests. Another sign they are taking their users seriously.
What do users say?
Users are very positive about Prevent Direct Access. The free version is rated 4.7 on average, with the majority of the reviews being 5-star reviews.
Prevent Direct Access Review: the Pricing
If you only want to protect a few files (up to 9) on an Apache server, PDA is priced greatly (because it’s free…). For other use cases, I find the plugin to be a bit expensive (compared to many plugins that follow the $39, $99, $199 pricing model).
Prevent Direct Access has the following pricing plans (outside the free plan):
|$178.80 yearly||$322.80 yearly||$358.80 yearly|
|($549.90 lifetime)||($769.90 lifetime)||($869.90 lifetime)|
|Up to 3 websites||Up to 10 websites||Up to 15 websites|
|Updates & Support||Updates & Support||Updates & Support|
|Free statistics add-on|
|Free Multisite add-on|
One of the great things (for people who hate subscriptions) of PDA is that they do have a lifetime subscription. Oddly enough, I find the difference between the Plus and Pro plan pretty small, making the Plus plan a bit redundant in my opinion.
However, the many extensions Prevent Direct Access has may increase pricing greatly. Let’s see what you will pay if you per license:
|Membership Plugin Integration||$49.90|
|Amazon S3 Uploads||$89.90|
|File Access Restriction & Folder Protection||$69.90|
|Protect WordPress Video & Audio||$119.90|
|Protect WordPress Pages, Posts & Post Types||$169.90|
|Watermark WordPress files||$119.90|
|Private Magic Links (easy embedding)||$49.90|
|Contact Forms Integration||$49.90|
|Advanced Custom Fields Integration||$69.90|
|Campaign Monitor Integration||$49.90|
|AffiliateWP & Sendowl Integration||$69.90|
|WordPress Multisite Integration (free with Pro subscription)||$52.90|
|WordPress Robots.txt Integration||$39.90|
|PDA Gold Statistics (free with Pro subscription)||$49.90|
Although in many cases you may not need so many extensions, the pricing may rack up quickly.
Alternatives to Prevent Direct Access
While there are no real comparable alternatives, there are a couple of alternatives that come close and may offer similar functionalities as Prevent Direct Access:
- Protect WordPress Uploads, which is free and just protects files. Nothing more, nothing less. Not as elaborate as PDA, but fine for simple file protection.
- Content Control, which limits access to any content, including media, for specified users. Rated well but not as many options for protecting files as PDA.
- The WordPress Download Manager, which is a plugin for managing (digital) downloads and can also protect media files. Very elaborate plugin, but an overkill if you just need to protect files and rated worse than other plugins.
- Prevent File Access, a WordPress plugin that limits file access for any media library files and even access to folders. Also supports protection depending on user role and custom redirects. From the above list, seems to be most comparable with PDA and also most competitive. It’s also part of a company active in login and security solutions.
Prevent Direct Access Review: The Conclusion
I started with the question: can WordPress protect media files? In essence, WordPress itself can’t. But there are some great WordPress plugins for that exact feature.
In my opinion, Prevent Direct Access is one of the best solutions for protecting WordPress media files. It’s easy to use, has some great features such as user-based file protection, file encryption and download links. Moreover, it is performant and support is great. As a downside, I find the subscription model a bit pricey.
Now they have a 60-day money-back guarantee and a free version, so it’s worth trying them out.