How protected media files work

LifterLMS now not only prevents text copying on your pages but also secures quiz question images, making them accessible only to enrolled users who are logged-in.

In other words, if anyone who is not actively taking the quiz tries to view a question’s images directly using the image’s URL, they will receive a File not found. response, as shown below.

Enrolled students who are logged-in will be able to view the image and, if they want to, they could download it or take a screenshot. LifterLMS protects your media only from the general public, not your enrolled students.

Questions in LifterLMS have an image description field. Images in the image description field of quiz questions are automatically protected.

Images in the Picture Choice question type are also automatically protected.

Lastly, images in the Reorder Pictures question type from the LifterLMS Advanced Quizzes add-on are automatically protected.

Everything else not listed above is not protected. For example, images added to the quiz Description field and the question Description field shown below are not protected.

By default, your WordPress uploads are stored in the date folders inside the /wp-content/uploads/ folder. For example, unprotected images you upload on February 14, 2025, will be inside the /wp-content/uploads/2025/02/ folder.

Images protected by LifterLMS will be inside the /wp-content/uploads/lifterlms/ folder. For example, protected images you upload on March 15, 2026, will be inside the /wp-content/uploads/lifterlms/2026/03/ folder.

Images in the /wp-content/uploads/lifterlms/ folder are secured by:

• Blocking direct access to the folder and its contents. The folder (and all its subfolders) is blocked from direct access.
• Providing an alternative way to access the folders images. A separate mechanism provides controlled access to these images.

How direct access to the wp-content/uploads/lifterlms/ folder is blocked depends on what server you are using.

• Apache web server. An .htaccess file in the folder returns a 403 Forbidden response.
• nginx web server. Any attempt to access the folder will redirect users to your homepage (e.g., domain.com/wp-content/uploads/lifterlms/ redirects to domain.com). Note that you must add this redirect rule manually.

Protected images can be accessed by adding at least the llms_media_id query parameter to the URL of your site. The llms_media_image_size query parameter can also be added, but that is optional. For example, if your site is in domain.com, and the image you want to access has an ID of 100, then you can access that image by going to domain.com/?llms_media_id=100.

However, access to domain.com/?llms_media_id=100 will only be granted if all three of the following conditions are true at the same time:

1. You are logged in to domain.com.
2. You are enrolled in the course which contains the image domain.com/?llms_media_id=100 in one of its quiz questions.
3. You are currently taking the quiz for which the image domain.com/?llms_media_id=100 is used in the manner described in the “what images are protected” section.

To know what web servers your web host is using, follow the instructions below:

1. Navigate to WordPress Dashboard > LifterLMS > Status.
2. Click on the “System Report” tab.
3. Scroll down to “Server”.
4. The web server software used on your site is listed under “Software”.