Does anyone know how to password protect a directory in a Wordpress plugin folder WITHOUT .htaccess?
Apparently WPEngine no longer lets you put htaccess files in the directory - it's been depreciated for some reason.
This would seem to be a loaded question... just because you can't use .htaccess in the directory you want to protect, doesn't necessarily mean you can't use the main .htaccess file in the root.
On Apache 2.4 you can use an Apache <If> expression to limit the HTTP Authentication directives to just that directory.
For example:
<If "%{REQUEST_URI} =~ m#^/wp-content/plugins/#">
AuthType Basic
AuthName "Private Area"
AuthUserFile "/private/path/outside/document-root/.htpasswd-wp-content-plugins"
Require valid-user
</If>
Related
I want to have htaccess ask for password on my entire site. However one subdirectory (folder1, which has WordPresss installed) should ask for a different login information (userY).
When I remove the auth thing from htaccess in the main folder everything works perfectly fine, but when I have it added I am being infinitely asked for user authentication when I am doing anything in folder1/WordPress.
My directories look something like this:
- folder1
-- wp-admin
-- wp-content
-- wp-includes
-- .htaccess
-- other wp php stuff
- folder2
- folder3
- index.html
- .htaccess
- .htpasswd
My .htaccess for main folder looks like this:
AuthUserFile /home/sites/www.website.at/web/.htpasswd
AuthName Admin
AuthType Basic
Require user userX
AuthGroupFile /home/sites/www.website.at/web/.group
My .htaccess in folder1 looks like this:
AuthUserFile /home/sites/www.website.at/web/.htpasswd
AuthName Admin
AuthType Basic
Require user userY
AuthGroupFile /home/sites/www.website.at/web/.group
I expect it to ask for UserX in folder2, folder3 and main folder (This part works). I expect it to ask for UserY in folder1, but without giving me an endless loop for authentication.
ChatGPT solved the question.
The AuthGroupFile /home/sites/www.website.at/web/.group which my Provider automatically added to the .htaccess was not necessary, because I didn't use groups. Because I didn't use groups, there was no .group file.
I have a site which is in wordpress, there is one folder within root of that, Which is built in static php.
When i am trying to protect that site with .htaccess it conflicts with root .htaccess of wordpress.
I have placed the protection htaccess within the folder
this is what i put in webmaster directory .htaccess file but it goes 404
ErrorDocument 401 /401.html
AuthType Basic
AuthName "welvo maker"
AuthUserFile "/home/welvo/.htpasswds/public_html/webmaster/passwd"
require valid-user
Hello you can protect subfolder directory using .htaccess by adding below line
RewriteBase /subfolderdirectoryname
As well as you can see reference link which will help you to understand better.
New rewrite rules in subdirectory with htaccess
I have a domain I use for development purposes. In this domain I have several subdirectories with different wordpress installations.
To hide the whole area I made a simple htpasswd protection in the root.
Now I have one of this Wordpress in the domain that uses timthumb library to resize images, and due to the htpasswd, I get "NetworkError: 400 Bad Request" instead of the image.
This is an example of the request that gets the error
http://subdomain.domain.com/WP/wp-content/plugins/plugin-directory/timthumb.php?src=http%3A%2F%2Fsubdomain.domain.com%2FWP%2Fwp-content%2Fuploads%2F2015%2F01%2F012015_valentines_hp_budvase.jpg&w=300&h=620&zc=1
Is there a way to bypass the protection only for that file?
More details on my paths to better read my .htaccess snippets:
I'm in a subdomain pointed to a subdirectory called 'subdomain_folder'
.htaccess I'm working on is located in 'subdomain_folder'
WP is in a subdirectory called 'WP' inside 'subdomain_folder'
Complete Path to WP: '/home/some-folder/public_html/subdomain_folder/WP
Complete Path to Uploads: '/home/some-folder/public_html/subdomain_folder/WP/wp-content/uploads
I tried this:
SetEnvIf Request_URI "^/WP/wp-content/plugins/plugin-dir/timthumb\.php$" allow
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/home/some-folder/.htpasswds/public_html/subdomain_folder/passwd"
Require valid-user
Order allow,deny
Allow from env=allow
Satisfy any
UPDATE
Someone adviced me that allowing access to timthumb.php file it's pointless, instead I should allow him to make http requests, or allow full access to uploads folders so, I tried the following, allowing requests from localhost ip
AuthType Basic
AuthName "Reserverd Area"
AuthUserFile "/home/some-folder/.htpasswds/public_html/subdomain_folder/passwd"
Require valid-user
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Satisfy Any
Tried both localhost and 127.0.0.1
I even tried to add another .htaccess in the single WP upload folder (where timthumb asks for images) with rule to allow from any
Satisfy Any
Order Allow,Deny
Allow from all
Still I cant' get images shown, and I keep getting the NetworkError: 400 Bad Request" instead of the image.
Last Detail, the .htaccess in the WP directory is a standard wp htaccess --> pastebin.com/8PRqEYQ2
I Found the solution.
The right way is indeed allowing requests from the server itself, but the localhost IP (127.0.0.1) was not the right adress to allow.
I made a Reverse IP Lookup searching for the domain I'm on, and I used that IP.
This is the .htaccess that works
RewriteEngine On
<IfModule mod_authn_file.c>
AuthName "Restricted Area"
AuthUserFile "/home/path-to-passfile/passwd"
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
# Use your server ip:
Allow from 111.111.111.11
Satisfy Any
</IfModule>
With this rules I can develop apps using timthumb.php in .htpasswd protected directory.
Criticisms and improvements are welcome :)
How can I password protect development Wordpress site complete from search engines and humans using htaccess.
Also can you specify in which folder I need to keep .htaccess file in wordpress to complete block it.
I tried it with following htacess file but after logging in only homepage showsup and other pages don't work.
SetEnvIf Host dev.test.com passreq
AuthType Basic
AuthName "restricted area"
AuthUserFile /home/user/dev.test.com/wp-content/themes/theme_name/.htpasswd
Require valid-user
Order allow,deny
allow from all
Deny from env=passreq
Satisfy any
What am I doing wrong? Currently I am keeping .htaccess file in *wp-content/theme/theme_name/.htaccess*
You should put your file in your Webroot to completely password protect it. Putting it under *wp-content/theme/theme_name will only protected files served from this directory
I'm trying to password protect a directory in wordpress in my cpanel and it's not working, wordpress keeps picking up the URLs and writing to it's own software. How can I get around this?
Even if I put my files in /wp-content/uploads/downloads/ it's still not recognizing them as downloadable, it forwards to a wordpress 404 error
1) create a .htaccess file in the directory you want to hide with this content:
AuthUserFile /www/path/to/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Confidential Information"
AuthType Basic
require user admin
then create a .htpasswd file with this content:
admin:password
and then only user 'admin' with password 'password' should be able to access directory.
or..
2) if you just move it below than the public HTML root folder then you don't have to worry about password protecting it - nobody can access it without direct server access
Create a .htaccess file in your downloads directory:
AuthUserFile /path/to/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Confidential Information"
AuthType Basic
require valid-user
Create a htpasswd file (outside your web root) like so:
htpasswd -bc /path/to/file/.htpasswd admin password