Subject to what is said in the next paragraph below, template documents, and merged documents that are saved rather than deleted, will be accessible via their URLs by anyone who has the URL. GravityMerge adds a random number string to each merged document name to prevent people being able to guess URLs but, despite this, you should treat merged document URLs as akin to a password.
As an added security feature, you can ensure that only logged in users are able to access templates at their URLs and merged documents at their URLs. How this is done depends on whether your site is running on an Apache server or an NGINX server:
- If your site is running on an Apache server, GravityMerge deals with this automatically via a change to the .htaccess file (you may still wish to check that the automatic change is effective).
- By contrast, if your site is running on an NGINX server, you will need to ask your webhost to do this for you. You will need to ask your webhost to add the following rule to the server:
location ~* \.(pdf|doc|docx|zip)$ {
if ($http_cookie !~* "wordpress_logged_in") {
return 403;
}
}