I am working on file sharing system where a user is able to upload a file to their account. Now the uploading part works. I made it so it uploads the file into a specific directory based on the user_nicename and the user_id Example: https://site.nl/wp-content/uploads/useruploads/[user_nicename][user_id]/file.pdf So now I was thinking to rewrite the URL when a user clicks on the file to a download.php file which checks if the user is the correct user. .htaccess: # Disable directory listing Options -Indexes # Rewrite requests to /wp-content/uploads/useruploads/ to download.php RewriteRule ^wp-content/uploads/useruploads/(.*)$ /wp-content/themes/Child%20Theme/file-access/download.php?file=$1 [QSA,L] Now the main problem is I am getting a permission error My second inquiry is whether this is deemed safe. or should there be more authentication or should I do this in a complete different way?