Solution:
You might be interested in this: deny direct access to a folder and file by htaccess
simply put a .htaccess file with the content “deny from all” in the folder. Then only scripts from your webspace should be able to read files from there.
This should be a first step. You would need a php-file serving the data instead of accessing those files directly. Eg like this: http://www.kavoir.com/2009/05/php-hide-the-real-file-url-and-provide-download-via-a-php-script.html
(as I am not aware of wordpress plugins, maybe just google for them, this explains how to write those in php – if you cant do that youre pretty much stuck to wordpress plugins)