Files not protected in s2members-files directory

I have pdf files in the s2member-files directory but even when not signed in a user can access the file with a direct link, for example:

Shouldn’t the file be protected?


Hi Dan.

Did you set a Membership Options Page? s2’s restrictions don’t become active without it. WP Admin > s2Member > General Options > Membership Options Page

Did you configure the Basic Downloads Restriction? This is required for download protection to become active. WP Admin > s2Member Download Options > Basic Download Restrictions

I look forward to your update. :slight_smile:

Hello Cristian,
Thanks for your reply.
Yes to both questions.
screenshot to both:

Looking forward to your support,

Check if you maybe use nginx and not apache as web server. In that case you need to protect the folder in nginx.conf

The site is hosted on WP Engine which do use NGINX.
Do you have any suggestions on how the nginx.config file should be?

My site is hosted on WPEngine and I’m having a real hard time with their support.
Is there a guide they can work with to have the downloads folder protected?
They also asked for the cookie name which S2 member is using, would you know what that is? Thanks

Protecting s2member-files/optimizeMember-files folder and other folders

location ~* /(s2member-files|s2member-logs|backup-db) {
deny all;
gzip off;
access_log off; log_not_found off;


Hi Dan, thanks for your patience.

You can try what Felix suggested, and see if it helps.

You see, it’s not that s2’s download restriction isn’t working, it’s just that the directory itself, where the files are, is open to anyone. When accessing the files directly like that, they’re served by the server (e.g. Nginx) and not via WordPress, so s2 can’t prevent it. s2member-files has an .htaccess file that is what prevents direct access to the directory, but it doesn’t work the same in Nginx.

I don’t have experience with Nginx yet, but googled it a bit and, from what I could find online, it seems you need to register a redirect. See:

In the “Source” field you could try ^/wp-content/plugins/s2member-files/.*?$

The “Destination” can be your Membership Options Page.

Let me know how it goes! :slight_smile:

Thank you Felix and Cristian.

Felix - the code you mentioned - that should be added to the nginx config file?

Does that code check to see if a user is a member and if he is it will allow to view /download the file and if not - will redirect the user to the membership options page?

Cristian - I can add the redirect rule but how would it check to see if the user is a member or not?

Now with WP Engine being a more popular hosting platform maybe a tutorial or guide to reproduce the out of the box htaccess behaviour which ships with s2member could really help.
Looking at the .htaccess file in the protected directory, it has quite a bit of rules and conditions.

Thanks again,

1 Like

The files would not be downloaded directly from there, they’d be served via WP and s2Member. So the directory can be totally inaccessible via the browser, but s2 would sitll have access to the files to serve them.

Or at least that’s how it works with Apache’s .htaccess, let’s see if the redirection with Nginx is the same when you test it. I don’t think it’d prevent the script from accessing the files.

For the user to get the file, you’d give a link like /? See the documentation: WP Admin > s2Member > Download Options > Basic Download Restrictions

I look forward to your update. :slight_smile:

Hi Cristian,
Let me detail one of the scenarios for the protected files:

  1. An email is sent to the client base with the link to the protected file.
  2. The user clicks on the link. If he is a member he is directed to the file (the browser will know he is a member with a cookie)
  3. If he is not a member he will be directed to the membership page / member options page asking himt to login or register.

It’s important for the client to protect these files since these direct url’s might be send to other people who are not members of the site.


Hi Dan,
Like some others, I have no idea how nginx works, but I do have experience working with protecting files.

The ideal situation is one where the site visitors never see the direct link to the file. This is done by sharing a special link that then “looks up” the file after the user has been authenticated.

I don’t know how php savvy you are, however I programmed a script (or set of scripts) that would do exactly this. The trick is to program the script to validate the visitor with the cookie before letting them download the file. (I programmed a custom solution using code that can be found here: StackOverflow Link I had to separate the code into sections.)

However, if this doesn’t make any sense to you, then you could easily use the built in S2member tools. You would share a link that looked something like: and S2Member would be able to do the checks.

I don’t know how nginx blocks read access to directories, but if you are smart about how you program your solution, having the directory protected is not as significant as you might think.

Hope this helps.


1 Like

Thanks Camden,
Using the url method works as expected and redirects users to the membership option if they are not registered and downloads the file for members.
I think that most users will not figure out to look for the path under wp-content/s2members…etc…, so using the above url should work fine.
Thanks for the code you shared on stackOverflow.

Thanks Again!

1 Like

yes - inside nginx.conf file for the relevant site (if you have several). And s2member links will still work.
Direct links of course will not work - and they should not work.
Also it does not matter where you actually store the files - just symlink them into the s2member-files directory.

I also run my sites using nginx - way faster than apache. Some plugins with nginx will actually propose you how nginx.conf should look like - but for others like s2-member you have to edit yourself (and the plugin itself really should not edit - especially if inside nginx.conf you just link to various conf files/directories)

oh yeah - the gzip off is relevant as s2member is somehow bugged there I guess. If not when you link .txt files through s2member - users will not get to the .txt page but a .gz txt download. (the ideal would be to present the user with gunzipped .txt page - every brother can unextract .gz - but of course not if you are forwarded to … instead of a gunzipped domaincom/sample.txt

Other files like .exe or .zip should be excluded already from zipping through other rules in nginx.conf.

Thanks alot for all you help - very appriciated!
I ended up using this rediect via the wp-engine portal

And protecting direct links using this link structure:

I think that a Knowledge base article on the S2Member site with an in depth explanation regarding this issue would really help other users as well.