WordPress Security

WordPress Membership Site Security Guide

Secure your WordPress membership site with content protection, subscription security, and member account safeguards.

Sarah Chen

October 22, 2025

8 min read

1,364 views

WordPress membership site security and content protection guide

Membership sites require protecting premium content while managing secure payments and member accounts. Security failures can lead to content theft and subscription fraud.

Membership Security Challenges

Unique Risks

Content leaking to non-members
Subscription payment fraud
Account sharing violations
Member data exposure
Access control bypasses

Content Protection

Server-Side Access Control

// Check membership before serving content
function wpfs_check_membership_access($content) {
    if (!is_singular('premium_post')) {
        return $content;
    }

    if (!wpfs_user_has_access()) {
        return 'This content is for members only.';
    }

    return $content;
}
add_filter('the_content', 'wpfs_check_membership_access');

// Check at template level
function wpfs_user_has_access() {
    if (!is_user_logged_in()) return false;

    $user_id = get_current_user_id();
    $subscription = get_user_meta($user_id, 'subscription_status', true);

    return $subscription === 'active';
}

Prevent Direct File Access

# .htaccess for protected downloads
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_URI} ^/protected-content/
RewriteRule .* - [F,L]

# Serve through PHP instead
# download.php?file=content.pdf

Subscription Security

Payment Verification

// Verify subscription status regularly
add_action('init', 'wpfs_verify_subscriptions');
function wpfs_verify_subscriptions() {
    if (defined('DOING_CRON') && DOING_CRON) {
        $users = get_users(array('meta_key' => 'subscription_status', 'meta_value' => 'active'));

        foreach ($users as $user) {
            // Check with payment provider
            $subscription_id = get_user_meta($user->ID, 'subscription_id', true);
            $status = wpfs_check_stripe_subscription($subscription_id);

            if ($status !== 'active') {
                update_user_meta($user->ID, 'subscription_status', 'expired');
            }
        }
    }
}

Prevent Account Sharing

// Limit concurrent sessions
add_action('wp_login', 'wpfs_limit_sessions', 10, 2);
function wpfs_limit_sessions($login, $user) {
    $sessions = WP_Session_Tokens::get_instance($user->ID);
    $all_sessions = $sessions->get_all();

    // Allow only 2 concurrent sessions
    if (count($all_sessions) > 1) {
        $sessions->destroy_all();
    }
}

// Track login IPs
add_action('wp_login', 'wpfs_track_login_ip', 10, 2);
function wpfs_track_login_ip($login, $user) {
    $ip = $_SERVER['REMOTE_ADDR'];
    $ips = get_user_meta($user->ID, 'login_ips', true) ?: array();

    $ips[] = array('ip' => $ip, 'time' => time());
    $ips = array_slice($ips, -10); // Keep last 10

    update_user_meta($user->ID, 'login_ips', $ips);

    // Flag if too many different IPs
    $unique_ips = array_unique(array_column($ips, 'ip'));
    if (count($unique_ips) > 5) {
        wpfs_flag_account_sharing($user->ID);
    }
}

Member Account Security

Secure Account Actions

// Require password for sensitive changes
add_action('show_user_profile', 'wpfs_require_password_confirm');
function wpfs_require_password_confirm($user) {
    ?>
    Confirm Changes
    
        
            Current Password
            
                
                Enter your current password to save changes
            
        
    
    user_pass, $user_id)) {
        wp_die('Incorrect password');
    }
}

Current Password	Enter your current password to save changes

Download Protection

Secure File Delivery

// Protected download handler
add_action('init', 'wpfs_handle_download');
function wpfs_handle_download() {
    if (!isset($_GET['download'])) return;

    $token = sanitize_text_field($_GET['download']);
    $download = wpfs_validate_download_token($token);

    if (!$download) {
        wp_die('Invalid or expired download link');
    }

    $file = $download['file_path'];

    if (!file_exists($file)) {
        wp_die('File not found');
    }

    // Serve file
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename="' . basename($file) . '"');
    header('Content-Length: ' . filesize($file));
    readfile($file);
    exit;
}

API Access Control

Protect REST Endpoints

// Require active membership for API
add_filter('rest_pre_dispatch', 'wpfs_membership_api_check', 10, 3);
function wpfs_membership_api_check($result, $server, $request) {
    $route = $request->get_route();

    if (strpos($route, '/members/') === 0) {
        if (!is_user_logged_in() || !wpfs_user_has_access()) {
            return new WP_Error(
                'membership_required',
                'Active membership required',
                array('status' => 403)
            );
        }
    }

    return $result;
}

Data Privacy

Member Data Protection

Encrypt sensitive member data
Implement data export functionality
Provide account deletion option
Clear data retention policies

Conclusion

Membership site security protects both your content and member data. Implement server-side access controls, verify subscriptions, prevent account sharing, and secure downloads to maintain a profitable membership business.

Written by Sarah Chen

WP Folder Shield Team