In December 2025, a major data leak in the UK made headline news across the globe. For WiscWeb users, this incident is a reminder that WordPress handles media URLs a bit differently than other content (like pages and posts). Therefore, traditional methods for protecting content do not protect media that is uploaded to the site. This is true for both page protection options in WiscWeb: NetID page protection and the WordPress native password protection.
What is most important for me to know?
By default, all WordPress media files (images, PDFs, and anything else in the Media Library) are publicly accessible via the direct URL – even if you put them on a protected page. They can also be indexed by Google and found in Google Search results.
Why don’t the page protection options protect my media?
Files uploaded into the Media Library in WordPress get served from the wp-content/uploads directory. Traditional server configurations – like WiscWeb’s – will allow public access to these files unless specifically blocked. This is how WordPress expects a server to be configured and is the norm for WordPress websites.
Note: To block this directory would mean all other media in your Media Library would be inaccessible.
WiscWeb, as a service, is cleared for low risk data only. The content uploaded to the service is intended to be publicly accessible. Therefore, we cannot block media directories.
What if I have a file that shouldn’t appear in Google Search results?
If you have a media file that you’d like to include on a protected page and cannot have it appear in Google search results or be accessed by the masses, please upload it to a file storage service like UW Box or Google Workspace. Within these services, you’ll be able to lock down the file to just the intended audience. A link to that location can then be shared from the protected page.
Resources
- Review our Sensitive, Restricted, and Internal Data policy.
- Work with a campus data steward to understand the risk classification for your content.