I use a .htaccess rule to add an extra layer of password security to the wordpress login page. Now as the whole wp-admin is protected. Users who wish to register, lands on the page with the username and password prompt for the authentication.
Is there anyway I can bypass this only for user registration URI?
I currently have authentication for this URL - www.example.net/wp-login.php
But I couldn't exclude the authentication prompt for this URL - www.example.net/wp-login.php?action=register
This is my .htaccess rule:
<FilesMatch "wp-login.php">
AuthName "Authorized Users only"
AuthType Basic
AuthUserFile /home/user/.wpadmin
require valid-user
</FilesMatch>
Is there anyway to exclude the security authentication for the queried URL for registering in my site?
Possibly (not tested) but you'll need a rewrite rule to create a specific URL for the registration page eg.
RewriteEngine On
RewriteRule wp-register wp-login.php?action=register [NC,L]
Then a block to disable authentication for that URL eg:
<Location "wp-register">
Order Deny,Allow
Allow from All
Satisfy Any
#AuthBasicFake dummyRegOnlyUserId dummyRegOnlyPass
</Location>
If that doesn't work as is, try adding a dummyRegOnlyUserId to your password file and uncommenting the directive.
Related
I use .htaccess to ask for credentials to access members only data. The .htaccess file is stored in one of the directories and protects everything in directories below it. The .htaccess file itself is very simple:
AuthName "Members Area"
AuthType Basic
AuthUserFile /home/xxxxx/public_html/xxx/data/.htpasswd
require valid-user
Problem is, when we moved to a new server (and built the new website within that directory using WordPress), the Authentication Box now comes up twice and requires users to enter the same correct login information both times.
I've read in other strings here about trailing /, but since I don't have a redirect or anything else in my .htaccess, I'm not quite sure what to do.
Anybody have any suggestions on a workaround or rewrite?
This is most likely because you're running an https redirect (or another redirect) inside another .htaccess file. So it is asking for the authentication once in http, and once in https. If you do this:
<If "%{HTTPS} == 'on'">
AuthType Basic
AuthName "Password Area"
AuthUserFile "/yourdirectory/.htpasswd"
<IfVersion >= 2.4>
AuthMerging And
</IfVersion>
Require valid-user
</If>
then it will only ask for the password once the redirect has happened. Otherwise, get rid of the second redirect.
Please could anyone help me in my hour of need? :) I have been working on a landing page that's been set up for corporations and their employees. Anyway the gist is, the page is only available via login which is provided via promotional materials.
So I have index.php and it's only available via login using .htpasswd and .htaccess
.htaccess reads
AuthUserFile /my/path/to/.htpasswd
AuthName "Company Name"
AuthType Basic
However, up until now we have had a holding page, index.html which we have now removed so index.php displays when someone calls up http://mydomainname.com/ or http://www.mydomainname.com
If I visit http://mydomainname.com/ or http://www.mydomainname.com, all I get is a 401 Authorisation required page.
But if I visit the http://mydomainname.com/index.php the right page appears.
I have asked the hosting company and all they do is remove the .htaccess file which defeats the object. Theys ay I had an error in my .htaccess file, but it worked ok when there was an index.html page (which was the holding page).
If you just need to remove the www's in the url (which I think is what you're after), try the following in your htaccess;
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1%{REQUEST_URI} [R=301,QSA,NC,L]
This should work as long as your servers set up to handle either url. E.g. with apache, the ServerAlias would be like so ServerAlias *mydomain.com the * allows for both www's and no www's
EDIT
If I look at one of my own htaccess/htpasswd files I have the following, check yours is similar;
htaccess;
AuthType Basic
AuthName "Hidden Page"
AuthUserFile /var/www/mysite.com/hiddendir/.htpasswd
Require valid-user
htpasswd;
USER:encryptedpasswordstring
Ok I modified my original question so much I missed the point. I was limiting access to one page, but to achieve what we wanted (login only), we had to remove the from:
<Files "index.php">
Require valid-user
</Files>
And bingo it works! Thanks a lot for all your help.
I have the following in the htaccess file in my /wp-admin folder:
AuthType Basic
AuthName "Example"
AuthUserFile "/home/username/.htpasswds/public_html/example.com/wp-admin/passwd"
require valid-user
For some reason when I load up a wordpress article it prompts for authentication.
The main page is fine, but individual articles prompt for a password.
I found a solution to my problem.
The reason why it was prompting for a password is because some WordPress plugins require access to admin-ajax.php.
If you add the following on top of the quote above it will allow you to password protect the wp-admin folder.
# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
I want to implement basic http authentication, and I have written in .htaccess file.
I also need to check one condition if I request www.example.com it should ask me for basic authentication. If other application contains link e.g. www.example.com/main/newscorm/start.php?page_id=10&cidReq=U8COACHINGCERTIFICAT&cf=ad4d82421f7e2a66906a0177bf132221 and if I click on this link it should not ask me for basic authentication, how i write a rule for that.
Create encrypted passwords file then place this code in your .htaccess:
# set env variable SECURED if current URI is /
SetEnvIfNoCase Request_URI "^/?$" HOME
# invoke basic auth if SECURED is set
AuthType Basic
AuthName "My Protected Area"
AuthUserFile /full/path/to/passwords
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=HOME
You should rather implement basic http authentication on php, not by .htaccess. Then you can check your cf parameter and determine whether the link is valid one or should move to basic http authentication. For detail of implementation, you can see http://php.net/manual/en/features.http-auth.php .
I need to password protect a directory with .htaccess, which I have successfully done. But the front end of the website was programmed to link to images within this password protected directory (not by me), but when a webpage tries to access those images it prompts the user to login.
Is it possible to password protect that directory, but allow any access to any image file type like *.jpg and *.gif?
My current .htaccess code is this:
AuthName "Secure Area"
AuthUserFile "/home/siteuser/.htpasswds/public_html/admin/passwd"
AuthType Basic
require valid-user
Thanks for any help!
AuthName "Secure Area"
AuthUserFile "/home/siteuser/.htpasswds/public_html/admin/passwd"
AuthType Basic
require valid-user
<FilesMatch "\.(png|jpe?g|gif)$">
Satisfy Any
Allow from all
</FilesMatch>
Edit to incorporate Shef's improvement
You could check all the different options of configuration .htaccess gives you in the following site:
Stupid htaccess Tricks
Did you try put it inside Filematch?
<FilesMatch "^.*(png|jpe?g|gif)$">
AuthName "Secure Area"
AuthUserFile "/home/siteuser/.htpasswds/public_html/admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>
What you could try is to write an image display proxy:
Keep the directory like you have it now, with password protection.
On the .htaccess on the root of the website where the images are linked, add a Rewrite rule for those image types you want. This rule should redirect the call to a PHP handler script.
That script should evaluate the path that was being requested, load the file from the filesystem, deduct its header and send that to the client using header(), followed by the image file's content echo file_get_contents()should do.
PHP is not affected by the .htaccess so it should be able to read the file you need and proxy it to the end user.