I protected an entire Wordpress site with an .htaccess in the /var/www/html direction containing the following regular authentication:
AuthName "Restricted Admin-Area"
AuthType Basic
AuthUserFile /var/www/html/.htpasswd
Require valid-user
However, now my boss asks me to unprotect just one page of the Wordpress site (specifically /subscription):
When we access www.site.com/subscription : no authentication is asked
When we access the rest of www.site.com : an authentication is asked
So I added the following as an exclusion:
SetEnvIf Request_URI "(subscription/)$" allow
SetEnvIf Request_URI "(subscription)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
The problem though, is that for this exclusion to work, the subscription/ directory must exist "physically" on the server.
But it is a Wordpress page, generated automatically following index.php contained in the Wordpress database.
Therefore, the exclusion does not work and I'm asked an authentication when accessing this page.
I've looked for hours and tried to modify tons of things (even creating a subscription2/ directory pointing to subscription), but nothing worked.
Please can you help?
Thank you!
Related
I have the following in the htaccess file in my /wp-admin folder:
AuthType Basic
AuthName "Example"
AuthUserFile "/home/username/.htpasswds/public_html/example.com/wp-admin/passwd"
require valid-user
For some reason when I load up a wordpress article it prompts for authentication.
The main page is fine, but individual articles prompt for a password.
I found a solution to my problem.
The reason why it was prompting for a password is because some WordPress plugins require access to admin-ajax.php.
If you add the following on top of the quote above it will allow you to password protect the wp-admin folder.
# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
Not a programmer or PHP expert here: please assume entry-level knowledge.
For security reasons, I'd like to allocate the contents of the index.php in my main WordPress folder to something else -- say, fish.php and just have an index.php that calls it, like so:
<html>
<body>
<?php include 'fish.php'; ?>
</body>
</html>
The fish.php file would contain everything that's usually in index.php. It would just be named fish.php.
Will this completely break WordPress? Is a full, detailed index.php file absolutely necessary for it to function, or is it a one-time "load and go" php file that isn't referred to again once WP is in the browser?
Your question is confusing. So you want another file that then includes the contents of index.php in WordPress? What are you trying to achieve? The basic gist of your question seems to be this line:
Is a full, detailed index.php file absolutely necessary for it to
function, or is it a one-time "load and go" php file that isn't
referred to again once WP is in the browser?
The way content management systems—or virtually any controller based system—works is to flitter all request in one file & then act on them. In WordPress, that is index.php. And it does more than just load the homepage. It’s the gateway page to all other pages. So you can muck around with it, but why? And for what benefit?
EDIT: The original poster in the comments to my answer explains that they are thinking of ways to prevent a WordPress site from being hacked. Renaming a file will not work. Especially since index.php is only seen on the server side. Let’s say by some crazy config the original poster adjusts Apache to always load fish.php as their index. The web browser—and users & bots—will still get WordPress content. Instead I do the following as a slid brute-force way of avoiding hacks: I place .htaccess password protection on the admin areas of CMS systems. The logic being—and it has worked so far—that most CMS systems are attacked by scripts that hack vulnerabilities in the admin or login process. Yes, some bots might get through. But you can eliminate tons of “low hanging fruit” with this method.
For example, below is part of the Apache virtual host config that I will use as an example for a site I am calling mygreatsite.com that I have based in the standard /var/www. Note that I am adding authorization for wp-login.php and wp-admin but allowing admin-ajax.php to pass since many functions use it. Now users who administer the site will need to remember an additional—somewhat generic—htpasswd_wordpress_admin user/password combination on top of their standard WordPress credentials. But guess what? Most CMS hacking scripts give up when faced with a browser based password coming from Apache like this.
# Added for WordPress CMS protection.
<Directory /var/www/mygreatstite.com/wordpress/wp-login.php>
Options FollowSymLinks
AllowOverride all
AuthName "WordPress Login"
AuthType Basic
require valid-user
AuthUserFile /etc/apache2/htpasswd_wordpress_admin
Order Deny,Allow
Deny from all
Satisfy Any
</Directory>
# Added for WordPress CMS protection.
<Directory /var/www/mygreatstite.com/wordpress/wp-admin>
Options FollowSymLinks
AllowOverride all
AuthName "WordPress Admin"
AuthType Basic
require valid-user
AuthUserFile /etc/apache2/htpasswd_cms_admin
Order Deny,Allow
Deny from all
# Allow 'admin-ajax.php' to pass.
<Files admin-ajax.php>
# Order Allow,Deny
Allow from all
</Files>
Satisfy Any
</Directory>
We have a PHP site:
site.com
We want all subpaths from the root to require basic authentication. e.g.
site.com - no authentication required
site.com/subpath requires authentication
We have this directive:
<LocationMatch "^/.+$">
AuthName "members Only"
AuthType Basic
AuthBasicProvider file
AuthUserFile /Applications/MAMP/conf/apache/extra/auth-pass-file
Require valid-user
</LocationMatch>
However it is asking for a password when we go to http://site.com/ or http://site.com.
Can someone suggest a solution so that authorization only is asked for sub paths?
<LocationMatch "^/.*/.+$"> should work. Your LocationMatch is actually selecting everything in the root directory, you need to go one level down.
We added specific directories to check (ones that exist) and created an error redirect when people tried to fish for non-existent pages.
Because authz rules are applied not only to the actually-requested /, but also to what that expands to -- such as /index.html
You need to allow that separately, unfortunately...
I want to ignore folders on my website, but as I often create subfolders on it, I want to ignore subfolders too.
Here's my .htaccess :
AuthType Basic
AuthName "Auth Required"
AuthUserFile ".htpasswd location"
Require valid-user
SetEnvIf Request_URI "(folder I want to ignore for everyone)$" allow
Order allow,deny
Allow from env=allow
# allow open access to entire site for those IPs:
allow from xx.xx.xxx.xx.xxx
Satisfy any
When I go to a subfolder, it keep asking for a login and password, but when I click on "Cancel" to cancel that login, everything goes fine and no other box is shown.
All I want is to not have this box shown.
Thanks !
.htaccess settings ALWAYS affects subfolders unless you override it with another .htaccess which would change the behaviour set in parent folder's .htaccess
What is the best way to send all traffic to your site a 404 page? I'm currently working on the site and would like it to just 404 for all requests. I've tried playing around with htaccess files but haven't been too successful in getting one working like this. Additionally, I would like traffic to a particular folder to still get through.
As your question is stated the easiest way would be to move all your content into that folder.
However, reading between the lines it sounds like you want to view the site in the root folder, and block anyone else from doing the same. It seems to me what you want to do is look at the Apache manual's section on Authentication and Authorization
http://httpd.apache.org/docs/2.0/howto/auth.html
Something like the following in a Location or Directory section of your Apache config, or in a .htaccess file should work. You can put the page you want to show your users in a special location
#The page you want to show denied users.
ErrorDocument 403 /path/to/403.html
#The page you want to show when pages aren't found (404)
ErrorDocument 404 /path/to/404.html
#For Password Protection
#Use the htpasswd utility to generate .htpasswd
AuthType Basic
AuthName "My Secret Stuff"
AuthUserFile /path/to/my/passwords/.htpasswd
Require valid-user
#For IP protection
Order allow,deny
Allow from 1.2.3.4 #Your IP Here
#If you want to use a combination of password and IP protection
#This directive works if they have a valid IP OR a valid user/pass
Satisfy any