XeroWP
Folio Gatehouse
Folio Gatehouse

Folio Gatehouse

0/5 (0 ratings) — active installs Updated Jun 19, 2026
access-controldownload protectionfile protectionmembershiprole-based access
Download v1.1.8 Plugin Website

Folio Gatehouse lets you protect files inside your uploads directory by restricting access to specific WordPress user roles. Files are served through PHP — the web server never delivers them directly — so direct URL access is blocked regardless of link sharing.

Key features:

  • Zone-based protection — define named zones (subfolders inside your uploads directory) and assign allowed roles to each
  • Custom denial screens — create HTML pages shown to blocked users, with full control over styling and messaging; separate screens for anonymous and logged-in users
  • Redirect on denial — optionally redirect denied users to any URL (e.g. a sales page or membership signup) instead of showing a denial screen
  • Login redirect shortcode[rbfa_login_link] inserts a secure login link that returns the user to the originally-requested file after authentication, using an opaque token so no file path is exposed in the URL
  • Zone virtual pages — each zone automatically gets a front-end page at /protected-zone/{slug}/ with customisable title and body content, rendered inside your active theme
  • Browsable file listing[rbfa_files] shortcode renders a collapsible, downloadable file listing for authorised users, with per-directory file counts, sizes, and ZIP download buttons
  • Access logging — every request is logged with timestamp, username, IP, file path, and status; filterable, sortable, and exportable as CSV
  • Role management — create and manage custom WordPress roles (fgh_ prefix) directly from the plugin, with searchable member management
  • .htaccess integrity — automatically writes and repairs rewrite rules across all protected directories; optional hourly cron
  • NGINX support — dedicated tab generates ready-to-copy location blocks when NGINX is detected
  • Export / Import — back up and transfer zones, roles, denial screens, and settings as a JSON file; conflict resolution on import

Security

  • Files served through PHP (readfile) — web server never delivers protected files directly
  • Path traversal blocked by realpath() boundary check before any file is served
  • Login redirect tokens are opaque — no file path, role, or zone information in the URL
  • Denial screen HTML filtered through a strict wp_kses allowlist on save and read-back
  • CSRF protection on every form via WordPress nonces
  • All ORDER BY clauses use a server-side whitelist to prevent SQL injection

Requirements

  • Apache with mod_rewrite enabled, or NGINX (with manual server block configuration — see the NGINX Config tab)