Since at least Drupal 7, the core CMS has included the concept of “private files.” The files are stored in a directory that is not served publicly by the web server. Instead the CMS generates a proxy URL for each file, which is handled by the CMS like a page URL before serving the file by streaming it through PHP. So: it’s a heavier load on the server, but you get full permission management by the CMS.

Wordpress does not have this in core—no surprise. I was surprised to find that it’s not even available as a community plugin. I had to pay a developer to write a custom plugin when building a members-only website in Wordpress.

Some folks downplayed the risk of someone finding and directly accessing the file URL if it wasn’t referenced on a public page. It’s crazy to see it created a national government incident in the UK.