Close this search box.
Close this search box.

Protecting you Gravity Forms upload files

Protect your Gravity Forms uploads folder

Gravity Forms allows files to be uploaded as part of a form submission.

What the plugin does is store the files, when uploaded into a directory like this:


This uses a long string to make the URLs hard to guess and find. Like this:

What I didn’t know until we had some of these files turn up in Google’s index is that other than the long string, they are not protected. If you know the URL you can view the file.

Not ideal and really, Gravity Forms should point this out as I’m a long term user and it was a surprise to me.

Adding this to your .htaccess file will check to see if a user is logged in. If they are not you can redirect them (Update to where you’d like to redirect them to. Perhaps your home page.

#disallow access to file uploads unless user is logged in
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^wp-content/uploads/gravity_forms/(.*)$ [NC,R,L]

Protect your Gravity Forms upload links

If you have enabled the form notification, Gravity Forms will also send links to the uploaded files to your email.

By default, file download URLs will be obscured. This ensures that an individual cannot determine where the file is stored on the server.

If you need to turn secure file downloads off (not recommended), the gform_secure_file_download_location filter can be used.

The gform_require_login_pre_download filter can be used to require the user be logged in before the download URL will allow access to the file.

To do so, add the following code to the functions.php:

add_filter( 'gform_require_login_pre_download', 'protect_gf_uploads', 10, 3 );

function protect_gf_uploads($require_login, $form_id, $field_id) {
    return true;