PDF Embedder Documentation

Documentation, Reference Materials, and Tutorials for PDF Embedder

Get access to
Powerful Features!

Home » Documentation » Guides & Configuration » Configuring Microsoft IIS for PDF Embedder Secure

Configuring Microsoft IIS for PDF Embedder Secure

Are your secure PDFs still accessible by anyone who has the direct file URL, even with PDF Embedder Secure active? On servers running Microsoft IIS, this happens because IIS does not use the .htaccess rules that protect these files on Apache.

This guide shows you how to configure IIS’s URL Rewrite module to block direct access to your secure PDF files, matching the protection PDF Embedder Secure applies automatically on Apache and Nginx servers.


Why IIS Needs Additional Configuration

PDF Embedder Secure stores protected files in wp-content/uploads/securepdfs/ and relies on server-level rules to stop visitors from bypassing the plugin and loading a PDF directly by URL. On Apache, this protection ships through an .htaccess file. On Nginx, it requires a rule added to the server block.

IIS does not read .htaccess files, so neither of those rules has any effect on an IIS server. Without an equivalent rule in your web.config file, any secure PDF remains reachable at its direct URL, regardless of your PDF Embedder Secure settings.

Requirement: URL Rewrite Module

Adding the rule below requires the IIS URL Rewrite module. This module ships as standard on most IIS installations that host WordPress sites. If your rewrite rules stop working after adding the configuration, confirm the module is installed before troubleshooting further.

Adding the Rewrite Rule

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Block direct access to secure PDFs" stopProcessing="true">
          <match url="^wp-content/uploads/securepdfs/.*\.pdf$" ignoreCase="true" />
          <conditions>
            <add input="{REMOTE_ADDR}" pattern="^127\.0\.0\.1$" negate="true" />
          </conditions>
          <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Access denied" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>Code language: HTML, XML (xml)

This rule blocks direct requests to any .pdf file inside wp-content/uploads/securepdfs/, except requests originating from 127.0.0.1 (localhost). Files with other extensions, such as images or audio, are unaffected.

Place this web.config file in your WordPress root directory. If a web.config file already exists there, merge the <rewrite> section into it instead of replacing the file.

Frequently Asked Questions

Below, we’ve addressed some of the most common questions regarding IIS configuration for PDF Embedder Secure.

Do I need to restart IIS after adding this rule?

IIS picks up web.config changes automatically. A restart is not required, but recycling the application pool clears any cached configuration if the rule does not appear to take effect immediately.

Why does the rule allow requests from 127.0.0.1?

The plugin serves secure PDFs internally through localhost requests. Excluding 127.0.0.1 from the block lets PDF Embedder Secure continue serving files to visitors through the plugin while direct external requests are still denied.

Still have questions? We’re here to help!

Last Modified: