I have a page in Wordpress theme_directory/page-rsvp.php that i need password protected by .htaccess. I'm developing this locally using MAMP PRO.
I have an .htaccess and .htpasswd file in the theme_directory. I have the following in the .htaccess file but it's not working. Whenever I go to localhost:8888/site/rsvp the authentication prompt doesn't show up.
<Files “page-rsvp.php”>
AuthName "Username and password required"
AuthUserFile ./.htpasswd
Require valid-user
AuthType Basic
</Files>
There is of course the .htaccess file in the root of the wordpress install that looks like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /thepowerfulnow/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /thepowerfulnow/index.php [L]
</IfModule>
# END WordPress
How do I get this to work using only the first .htaccess file (the one in the theme_directory)? I need to have this theme be modular. I'm very new to .htaccess files. Thank you all!
You've added the authentication to your theme directory, so it'll work only if you access your theme file directly, using a URL like this:
http://localhost:8888/site/wp-content/themes/theme_directory/page-rsvp.php
If you want to restrict the access to your page URL (e.g. /site/rsvp), you need to use a different rule. You can add the following lines to the end of your main .htaccess file, that in the WordPress root dir.
# Set an env variable "auth" if the URI starts with "/site/rsvp"
SetEnvIf Request_URI ^/site/rsvp auth=1
AuthName "User and password required"
AuthType Basic
AuthUserFile "./.htpasswd"
# First, allow anyone
Order Allow,Deny
Satisfy any
Allow from all
Require valid-user
# Then, deny only if auth is required
Deny from env=auth
Remember to keep a copy of .htpasswd file into the same directory or set the path to that file using the AuthUserFile directive.
Alternative solution
My original answer used a <Location> directive to filter the URL to restrict, but it do not work in .htaccess files. Only under server config or a virtual host. Check the Context here: http://httpd.apache.org/docs/2.2/mod/core.html#location
If you want to use the restriction rule as below, and you have access in the server to do so, you need to add it to some of those contexts (server config or virtual host). Apache's config files are usually in the /etc/httpd or /etc/apache2 directories.
<Location "/site/rsvp"> # Where /site/rsvp is the URL you want to restrict
AuthName "Username and password required"
AuthUserFile /path/to/.htpasswd
Require valid-user
AuthType Basic
</Location>
Related
I have an Apache site where all URLs that points to a file without an extension reads as a .php file. I put those entries in the .htaccess file, and allowed it inside the httpd.conf file.
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule !\. - [H=application/x-httpd-php]
It works great.
Now I add authentification to the website.
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
It only works if I comment out my RewriteEngine code.
One will work without the other, but not together. I've read a bit about the REMOTE_USER variable, but failed at some attempts.
Any recommendations to solve this?
Thanks
I am trying to allow user to wordpress wp-admin index page if query string contains parameter. I am setting env variable to allow them access. This is how my htaccess file looks like
RewriteEngine on
RewriteCond %{QUERY_STRING} !^author=1
RewriteRule ^ - [E=NO_AUTH:1]
AuthName "Staff Authorization Required"
AuthType Basic
AuthUserFile /usr/bin/.htpasswd
<Files "index.php">
Order Deny,Allow
Deny from all
Require user newagenumber
Allow from env=NO_AUTH
</Files>
Options -Indexes
As of yet, authorization dialog box appears for everyone. Please help :|
This is not working because Apache executed mod_auth module before mod_rewrite hence NO_AUTH is not set when basic authentication directives run.
Unfortunately this behavior is not that simple to change.
Here is a workaround solution that combines mod_rewrite, mod_setenvif and mod_auth:
RewriteEngine On
RewriteBase /wp-admin/
RewriteCond %{QUERY_STRING} (?:^|&)(author=1)(?:&|$) [NC]
RewriteRule ^(index\.php)?$ index.php/%1 [NC]
# set SECURED var to 1 if URI is /index.php/200
SetEnvIfNoCase Request_URI "/index\.php/(author=1)" NO_AUTH
AuthType Basic
AuthName "Login Required"
AuthUserFile /full/path/to/passwords
Require user newagenumber
Order Deny,Allow
Deny from all
Allow from env=NO_AUTH
Satisfy any
I met some trouble with my website (www.barbarian-strongman28.fr).
I set some url rewriting using this .htaccess which is in the main public folder of my server (called www)
.htaccess:
Options +FollowSymlinks
RewriteEngine On
ErrorDocument 404 /index.php?p=404
# Pages with the PHP p= parameter
RewriteRule ^([^/]*)/([^/]*)\.html$ /index.php?p=$1&id=$2 [L]
RewriteRule ^([^/]*)\.html$ /index.php?p=$1 [L]
I have a folder called admin that I want to protect.
So I set this .htaccess
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /htdocs/admin/.htpasswd
AuthGroupFile /dev/null
require valid-user
I've uploaded this file in the folder that I want to protect
The trouble I have is that the website also require an authentification even if I am not in the directory protected.
Any kind of help will be much appreciated.
I'm guessing your .htaccess file is in the main directory of your server. That's your problem:
"Also note that if you place this htaccess file in your root directory, it will password protect your entire site, which probably isn't your exact goal."
(from http://www.javascriptkit.com/howto/htaccess3.shtml)
So the solution is simple: put the .htaccess file in the directory you want to protect. You should also make sure of a few things (though they seem ok in your script):
That the paths to all the files are server paths not URLs (you've done this);
That the .htpasswd file is in a secure location
That the .htpasswd file is in the format username:password, with the password encoded - here's a tool for creating .htpasswd files if you need it.
Hope this helps.
Let's consider the folder www.mydomain.com/exemple protected with the following .htaccess:
.htaccess
AuthUserFile /root/FTPname/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Access"
AuthType Basic
require valid-user
I want to allow the access to the exemple folder only if a user has a specific cookie, or I raise an error (with the following [F] flag). Then I implemented the following code:
.htaccess
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !CookieName=CookieValue
RewriteRule .* - [F,L]
AuthUserFile /root/FTPname/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Access"
AuthType Basic
require valid-user
The problem is that when i load the exemple folder without the cookie, it goes through the authentification process first...I would like to do raise the error first. Anyone knows?
Try "Satisfy any" with a new environment variable. Two techniques are shown here:
.htaccess basic auth by virtual host? One uses SetEnvIf, the other uses a RewriteRule to set the variable. Since SetEnvIf cannot detect cookies, you will need RewriteRule. But I found on my shared hosting platform that RewriteRule could not play with "Satisfy any." If it works for you, it will look something like:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !CookieName=CookieValue
RewriteRule .* - [L,E=DENY:1]
AuthUserFile /root/FTPname/www/.htpasswd
AuthGroupFile /dev/null
AuthName "Restricted Access"
AuthType Basic
Order Deny,Allow
Satisfy any
Deny from all
Require valid-user
Allow from env=!DENY
See also: htaccess exclude one url from Basic Auth
Watch out that the page you are protecting does not include images, stylesheets, etc., that trigger an authentication request when the page itself does not.
How can I deny access to http://sub.mydomain.com/, but allow for (completely) http://sub.mydomain.com/test (or http://sub.mydomain.com/test/)
There is a magento back-end behind http://sub.mydomain.com/test/
.htaccess directives apply to that directory, and all subdirectories thereof, so you should disallow access in your DocumentRoot,
http://sub.mydomain.com/.htaccess:
Order deny,allow
Deny from all
And override that in any specific subdirectories you would like to allow access to,
http://sub.mydomain.com/test/.htaccess:
Order allow,deny
Allow from all
How about a .htaccess at the root directory, with the following lines?
RewriteEngine On
# check if request is for subdomain
RewriteCond %{HTTP_HOST} ^sub.mydomain.com$ [NC]
# check if 'test' isnt part of request
RewriteCond %{REQUEST_URI} !^/test/?(.*)$ [NC]
# if subdomain and no 'test' part, redirect to main domain...
RewriteRule ^(.*)$ http://www.mydomain.com/$1 [R,L]
So if the '/test/' section is present, no redirect takes place...
Try create .htaccess file in sub.mydomain.com for deny, and in sub.mydomain.com/test for allow.
Or you can redirect from http://sub.mydomain.com/ to deny subdir.
I know this is a very old thread, but I've been struceling with exactly this scenario for several days and finally got it to work, thus I thought I'd share my solution for further reference.
As of Apache version 2.4 (I guess), it's possible to use directive <RequireAll> and <RequireAny>.
This can be used to allow access to specific subfolders.
My solution for .htaccess (inspired from this site: https://www.the-art-of-web.com/system/apache-authorization/):
SetEnvIf REQUEST_URI "^/test/.*" PUBLICACCESS
# Use for multiple subfolders:
# SetEnvIf REQUEST_URI "^/(?:test|test2|test3|test4)/.*" PUBLICACCESS
<RequireAny>
<RequireAll>
# Public access
Require env PUBLICACCESS
Require all granted
</RequireAll>
<RequireAll>
# Require user and password
AuthType Basic
AuthName "Secured"
AuthUserFile /var/www/example.com/.htpasswd
Require valid-user
</RequireAll>
</RequireAny>
I'm using a cpanel powered server which will add .htaccess entries like the following:
#----------------------------------------------------------------cp:ppd
# Section managed by cPanel: Password Protected Directories -cp:ppd
# - Do not edit this section of the htaccess file! -cp:ppd
#----------------------------------------------------------------cp:ppd
AuthType Basic
AuthName "Protected"
AuthUserFile "/home/****/.htpasswds/sites/****/passwd"
Require valid-user
#----------------------------------------------------------------cp:ppd
# End section managed by cPanel: Password Protected Directories -cp:ppd
#----------------------------------------------------------------cp:ppd
I wanted to allow access to a specific subfolder, and the solution was creating an .htaccess file within that subfolder and placing the following inside:
Satisfy any
If you have protected your DocumentRoot by Auth, then you can allow your Subfolder by follow:
http://sub.mydomain.com/test/.htaccess:
require all granted
Order allow,deny
Allow from all