View Categories

Protecting Files

In some situations, only specific users should be able to download or access files on a website. File protection helps prevent direct access to sensitive files while still allowing LearnDash features to function as intended. LearnDash stores certain files in the following directory on the web server:

/wp-content/uploads/learndash

These files may include exports or other system-generated assets that should not be publicly accessible.

The most common way to protect these files depends on the web server in use:

  • Apache servers use an .htaccess file
  • Nginx servers use rules inside a server configuration file

Protecting Files on Apache Servers #

How It Works #

Apache allows directory-level access control using an .htaccess file. This file is placed directly inside the directory that needs protection.

When configured, the server blocks direct access to files in that directory.

Steps #

  1. Locate the directory that should be protected (for example:
    /wp-content/uploads/learndash).
  2. Create a file named .htaccess inside that directory.
  3. Add the following rules to the file:
Order Allow,Deny
Deny from all

These rules prevent files in the directory from being downloaded or accessed directly via a browser.

Additional Resources #

For a full overview of .htaccess functionality and supported directives, refer to the official Apache documentation:
https://httpd.apache.org/docs/2.4/howto/htaccess.html

Protecting Files on Nginx Servers #

How It Works #

Nginx does not use per-directory configuration files like .htaccess. Instead, access rules are managed from a central server configuration file.

Directory protection is handled using location blocks.

Basic Rule Example #

To deny access to a specific directory, add the following rules to the appropriate server configuration file:

deny all;
return 403;

This configuration blocks all direct access and returns a 403 Forbidden response.

LearnDash Export Directory Example #

To protect files generated by the LearnDash Import/Export feature, add the following block:

location "/wp-content/uploads/learndash/export" {
    deny all;
    return 403;
}

This ensures exported LearnDash files cannot be accessed directly from the browser.

Additional Resources #

For a full overview of Nginx configuration options, refer to the official Nginx documentation:
https://www.nginx.com/resources/wiki/start/topics/examples/full/

Server File Protection vs REST API Access (LearnDash 5.0) #

Server-level file protection applies only to direct file downloads. It does not affect access through the LearnDash REST API.

Key points:

  • Server rules (.htaccess or Nginx) block direct file URLs
  • REST API endpoints remain available at:
    /wp-json/ldlms/v2/
  • API access is controlled by REST permissions, not server file rules
  • Tools using WP Application Passwords authenticate through the REST API

File protection and API permissions work independently and should be configured based on the access requirements of the site.

Next Steps #

  • Review REST API permissions separately if API access needs to be restricted
  • Confirm the server type (Apache or Nginx) with the hosting provider
  • Test file access after applying rules to ensure LearnDash features continue working as expected

Updated on February 5, 2026