We Keep Coding

Auth protect a Wordpress site except one page

I protected an entire Wordpress site with an .htaccess in the /var/www/html direction containing the following regular authentication:
AuthName "Restricted Admin-Area"
AuthType Basic
AuthUserFile /var/www/html/.htpasswd
Require valid-user
However, now my boss asks me to unprotect just one page of the Wordpress site (specifically /subscription):
When we access www.site.com/subscription : no authentication is asked
When we access the rest of www.site.com : an authentication is asked
So I added the following as an exclusion:
SetEnvIf Request_URI "(subscription/)$" allow
SetEnvIf Request_URI "(subscription)$" allow
Order allow,deny
Allow from env=allow
Satisfy any
The problem though, is that for this exclusion to work, the subscription/ directory must exist "physically" on the server.
But it is a Wordpress page, generated automatically following index.php contained in the Wordpress database.
Therefore, the exclusion does not work and I'm asked an authentication when accessing this page.
I've looked for hours and tried to modify tons of things (even creating a subscription2/ directory pointing to subscription), but nothing worked.
Please can you help?
Thank you!

Is it possible to make different htaccess user authentication on two different files?

I have a website made with WordPress and I want to make two different htaccess logins for two template files. Is this possible?
I have this next code for one of the templates but I want to do the same thing for the second template, only with different username and password.
The templates are located in the same directory and the .htaccess, .htpasswd files are in the root of the website.
I tried user username instead of valid-user, made a different directory in public_html for another .htpasswd file with the password and username for the second file. Nothing worked as it should.
The code:
SetEnvIf Request_URI /colaborators/$ require_auth=true
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/my_whole_path/public_html/.htpasswd
Require valid-user
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

I will answer my own question, maybe this will help someone:
In my case, I had the .htaccess and .htpasswd files outside WordPress, in the root directory. What I had to do to make my second page .htaccess protected with different user and password than the first one:
I made a new directory in the root folder, inside it I created another .htaccess file and a new .htpasswd, plus my page (called it index.php).
SetEnvIf Request_URI /test/$ require_auth=true
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/my_whole_path/public_html/new_directory/.htpasswd
Require valid-user
Order Deny,Allow
Deny from all
Satisfy any
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
In index.php I loaded WordPress with a require_once 'wp-load.php', the header.php and the rest of the page code.
And that's all.
Hope will help.

.htaccess requests correct login twice with .htpasswd and wordpress

I use .htaccess to ask for credentials to access members only data. The .htaccess file is stored in one of the directories and protects everything in directories below it. The .htaccess file itself is very simple:
AuthName "Members Area"
AuthType Basic
AuthUserFile /home/xxxxx/public_html/xxx/data/.htpasswd
require valid-user
Problem is, when we moved to a new server (and built the new website within that directory using WordPress), the Authentication Box now comes up twice and requires users to enter the same correct login information both times.
I've read in other strings here about trailing /, but since I don't have a redirect or anything else in my .htaccess, I'm not quite sure what to do.
Anybody have any suggestions on a workaround or rewrite?

This is most likely because you're running an https redirect (or another redirect) inside another .htaccess file. So it is asking for the authentication once in http, and once in https. If you do this:
<If "%{HTTPS} == 'on'">
AuthType Basic
AuthName "Password Area"
AuthUserFile "/yourdirectory/.htpasswd"
<IfVersion >= 2.4>
AuthMerging And
</IfVersion>
Require valid-user
</If>
then it will only ask for the password once the redirect has happened. Otherwise, get rid of the second redirect.

3 htaccess protection rules on 3 different environments

I need to protect different par of my website depending on the environment I'm working on.
I have three different environments:
localhost : protect nothing
www.test.example.com : protect the whole website (it's a test website so I don't want it to be accessible)
www.example.com : protect only /admin url (the live website, only /admin is protected)
For now, I use different htaccess files.
For test.example.com, I add:
AuthUserFile mypasswordfile
AuthType Basic
AuthName "Enter password"
require valid-user
For example.com, I add:
SetEnvIf Request_URI /admin/? auth=1
AuthUserFile mypasswordfile
AuthType Basic
AuthName "Enter a password"
Order Deny,Allow
Deny from all
Allow from env=!auth
Require valid-user
Satisfy any
Is there a way to use only one htacess with condition to have something like
if(localhost) { do nothing }
if(test.example.com) { require valid user on all domain }
if(example.com) { require valid user only on /admin}

You can use this combined .htaccess:
# require valid user only on /admin
SetEnvIf Request_URI ^/admin(/|$) auth=1
# if(test.example.com) { require valid user on all domain }
SetEnvIf Host ^test\.example\.com$ auth=1
# if(localhost) { do nothing }
SetEnvIf Host ^localhost$ !auth
AuthUserFile mypasswordfile
AuthType Basic
AuthName "Enter a password"
Order Deny,Allow
Deny from all
Allow from env=!auth
Require valid-user
Satisfy any

You could use version control, for example Mercurial (hg) and add those files to ignore list. This way the .htaccess files will not be overwritten when pushing changes.

If you're running Apache 2.4+ it has an <If .. > Directive you can use : http://httpd.apache.org/docs/2.4/mod/core.html#if
So you could read the Apache SERVER_NAME and apply conditions accordingly inside your .htaccess file.
<If "%{SERVER_NAME} =~ /^test\.example\.com/">
** require valid user on entire domain **
</If>
<ElseIf "%{SERVER_NAME} =~ /^example\.com/">
** require valid user only on /admin **
</ElseIf>
You could leave it as that or add in a specific <ElseIf> for 'localhost' with a final <Else> containing 'Deny from all' or similar - just to make sure you don't leave it open if you upload onto another development environment.
Note: you could also use SERVER_ADDR instead of SERVER_NAME and identify the server by IP address - which might be more reliable.

Authentication multiple files

So rather than excluding one file from the entire authentication like I tried to here. I've just decided to add specific files to the authentication like this:
<Files ...>
</Files>
The thing is when it's like this:
<Files Available.php>
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/Folder/.htpasswd
Require valid-user
</Files>
It works in that it requires an authentication for the php. However when I put multiple files like this:
<Files Available.php,Insert.php,upload_file.php>
AuthType Basic
AuthName "Login"
AuthUserFile /disks/*/*/Folder/.htpasswd
Require valid-user
</Files>
It fails to require authentication for any of the files. Any ideas what I'm writing wrong syntactically? Also how do I require authentication for all sub-directories?

You can't put multiple file names in a directive. see for directive examples.
http://www.askapache.com/htaccess/using-filesmatch-and-files-in-htaccess.html
If you can't match the files with a wildcard, your best bet is to place them all in a subdirectory and use your authenication against that.
Your other option is to use php authenication with sessions (cookie or url based) and have the php files that require authentication check for a valid session before running.
I've written a fair number php based sites with authenicated admin and I always use a subdirectory and then ssl to make it more secure.