WordPress: restrict access to /uploads/ folder to logged in user.

Create an .htaccess file in your /uploads/ folder and paste this code. Work only on Apache.

RewriteEngine On
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule ^(.*)$ - [R=403,L]