First of all I searched now for several days and found not a direct answer to: How to protect hotlinks to all files stored in /wp-content? Scenario: aMember 4 (setup with new-rewrite) protects a gallery post(!) so every visitor get's a redirect to sign up. The customer signs up successfully and comes back to the post which can be opened now. Now the customer saves all the direct content links (example: http://www.domain.tld/wp-content/image.jpg) and logs out. Question: Is the customer able to use these hotlinks to open them without logging back in? If so, aMember would protect actually uhh, nothing.