The wp_crm_system_custom_fields_protected_directory_htaccess_rules filter lets you modify the rules in the .htaccess file that protects the custom uploads directory found at /wp-content/uploads/wp-crm-system-custom-fields.

By default the .htaccess rules that are generated are as follows:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https://yoursite.com/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(3dm|3ds|3g2|3gp|7z|accdb|ai|aif|asf|asp|aspx|avi|bak|bmp|cer|cfm|crx|csr|css|csv|db|dbf|dcr|dds|doc|docx|dwg|dxf|eps|flv|fnt|fon|gif|gpx|gz|heic|htm|html|iff|indd|jpg|jpeg|js|jsp|key|kml|kmz|m3u|m4a|m4v|max|mdb|mid|mov|mp3|mp4|mpa|mpg|obj|ogg|otf|pages|pct|pdb|pdf|php|pkg|plugin|png|pps|ppt|pptx|ps|psd|pspimage|rar|rm|rpm|rss|sitx|sql|srt|svg|swf|tga|thm|tif|tiff|ttf|txt|vcf|vob|wav|wma|wmv|xhtml|xlr|xls|xlsx|xml|yuv|zip|zipx) [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in.*$ [NC]
RewriteRule .*\.(3dm|3ds|3g2|3gp|7z|accdb|ai|aif|asf|asp|aspx|avi|bak|bmp|cer|cfm|crx|csr|css|csv|db|dbf|dcr|dds|doc|docx|dwg|dxf|eps|flv|fnt|fon|gif|gpx|gz|heic|htm|html|iff|indd|jpg|jpeg|js|jsp|key|kml|kmz|m3u|m4a|m4v|max|mdb|mid|mov|mp3|mp4|mpa|mpg|obj|ogg|otf|pages|pct|pdb|pdf|php|pkg|plugin|png|pps|ppt|pptx|ps|psd|pspimage|rar|rm|rpm|rss|sitx|sql|srt|svg|swf|tga|thm|tif|tiff|ttf|txt|vcf|vob|wav|wma|wmv|xhtml|xlr|xls|xlsx|xml|yuv|zip|zipx)$ https://yoursite.com/ [NC]

These rules prevent anyone from viewing files uploaded to this directory (that are the file types specified) unless the referrer is from https://yoursite.com/ and the user is logged in.

Please note that if you are sharing links to your clients you may need to either change the .htaccess rules to allow logged out viewers or use the Client Area add-on to provide your clients with an area to log in and view their content.