Prevent access to WooCommerce downloadable products in WPEngine

If you are using WPEngine, WooCommerce and you sell digital products, then you might have realized that your downloadable products are public to anyone. You can use redirect rules to protect access to WooCommerce downloadable products in WPEngine. But now it has a feature called web rules that allows you to block access in a similar way that .htaccess does.

First go to the dashboard of your site in WPEngine. Then click on the Web rules option at the bottom in the sidebar menu:

WPEngine site sidebar menu

Then you just need to create an access rule to block direct access to the WooCommerce downloadable products in WPEngine:

Protect WooCommerce downloadable products in wpengine

When you are creating the new rule, use the next configuration:

Order: 1 (or a lower value order than any rule that could interfere)
Action: Deny
IP: All
Condition type: URI
Condition Operator: Regex matches (~)
Condition value: wp-content/uploads/woocommerce_uploads/

This configuration blocks the direct access to the files in the WooCommerce uploads folder. When your downloadable products is bought, then WooCommerce gives a link to the customer. Then the customer uses this link to download the product.

Do you need help with the configuration of your website? Don’t hesitate into hire me now.

Now that you have protected your files, let’s see what is the “issue”. The summarized explanation is that WPEngine uses Nginx instead Apache as web server. WooCommerce creates an .htaccess file in its upload folder. Apache uses it to block the access to the content in the folder. However, the .htaccess file doesn’t work in Nginx. This web server works in another way and it is configured in other way. Unfortunately, WooCommerce doesn’t have a way to make this configuration and only the administrator of the web server can setup the configuration and block the access. Before it was possible to prevent direct downloads in WPEngine using redirect rules. Now WPEngine has a feature named web rules that allows us to make this configuration and block the access to some sections in our website easily.