htaccess – Using “wordpress_logged_in” to restrict direct access to uploads folder in 2021

I am looking at ways to restrict direct access to the WordPress Uploads folder. I’ve read a handful of Stackoverflow and blog posts about using “wordpress_logged_in” in .htaccess to check if a person is logged in and if they are not to restrict them. See example of a snippet below.

However, I also read a post that was written almost 10 years ago that it would be preferable to do this via PHP as checking for a cookie isn’t very secure and could be hackable. However, since then WordPress has improved how cookies are done and are more secure as I understand it.

Old Stackoverflow thread here.

How to Protect Uploads, if User is not Logged In?

How hackable is checking for a cookie if a person is logged in? Is the idea here that a person could Brute Force the cookie? For me this solution is more straightforward and something I can easily wrap my head around.

Htacess Example here – Check to see if a person is logged in:

<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_FILENAME} (.*)
    RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_((a-zA-Z0-9_)*) (NC)
    RewriteRule .* - (F,L)