I want to lock down /wp-admin/ area with a login and password. On Apache 2.3, I used to config my /var/www/html/wp-admin/.htaccess like this:
AuthType Basic
AuthName "Restricted files"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
How the same configuration is done on Apache 2.4?
Apache 2.4 is exactly the same as 2.2 for password protecting a directory. I use this on a number of sites running on 2.4:
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /this/is/your/dir/.htpasswd
Require valid-user
Then you obviously have your .htpasswd file which looks like:
admin:Umvdgh40rXES3ChsKg444
For access to your file in Apache 2.4:
<Files admin-ajax.php>
Require all granted
</Files>
You can view the Apache Documentation for the upgrade by following this link http://httpd.apache.org/docs/2.4/upgrading.html
Related
We're all familiar with this setup for protecting the wp-login.php file by now.
<Files wp-login.php>
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /<some-path>/.htpasswd
Require valid-user
ErrorDocument 401 "Authorization Required"
</Files>
That works great.
But I also have another login in a shortcode (partial code below) ...
wp_login_form( array( 'echo' => false, 'remember' => false, 'value_remember' => false ) );
... that I use on a different page - lets call it:
https://somesite.com/otherloginpage/
Is there any way I can have /otherloginpage/ skip the .htaccess login?
I previously found this here:
https://www.askapache.com/htaccess/
## ALLOW ACCESS WITH PASSWORD OR NO PASSWORD FOR SPECIFIC IP/HOSTS
AuthType basic
AuthName "Ooops! Temporarily Under Construction..."
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
Require valid-user # password prompt for everyone else
Order Deny,Allow
Deny from all
Allow from 192.168.64.5 # Your, the developers IP address
Allow from w3.org # css/xhtml check jigsaw.w3.org/css-validator/
Allow from googlebot.com # Allows google to crawl your pages
Satisfy Any # no password required if host/ip is Allowed
But it doesn't work for exactly what I want to do. I believe I need to set a referrer somehow rather than a domain/IP.
Also, can this be added to within the <files> section? It seems to cause errors at the Order Deny,Allow line.
Any ideas on how to get a referring URL into some logic to skip the .htaccess login requirements?
I found a solution thanks to Reddit
<Files wp-login.php>
<If "!(%{HTTP_REFERER} -strmatch 'https://url.com/page/')">
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/.htpasswd
Require valid-user
ErrorDocument 401 "Authorization Required"
</If>
</Files>
https://httpd.apache.org/docs/2.4/mod/core.html#if
I have setup a virtual host with Basic Auth.
<Directory ~ "^/home/www/.*/">
Options Indexes MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
DirectoryIndex index.html index.php
AuthType Basic
AuthName "HALMA"
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
Allow from 10.0.0
Satisfy Any
</Directory>
<Files ~ "\.(htaccess|inc|tpl)$">
Order deny,allow
Deny from all
</Files>
( The Files Section could be in a .htaccess, too - same effect)
Now .htaccess, .inc and .tpl files are accessible if the user authenticates successfully to the Basic Auth, which is not the intended behavior. The file restrictions should always be active, preventing any user from accessing critical files, logged-in or not.
I tried moving the Files-Section from vhost config to .htaccess and vice versa, commenting out the 10.0.0.
If I comment out the whole Auth stuff it works.
Would be glad, if someone could point me in the right direction.
I used to protect files in olders versions of apache with this code in the folderĀ“s .htaccess file:
AuthUserFile /home/folder/.htpasswds/.htpasswd
AuthName "Password Protected Area"
AuthType basic
<Files "wp-login.php">
require user superadmin
</Files>
With my .htpasswd being like this:
admin:EBbqCq1YlLHSQ
superAdmin:PrlugFjcTaqlg
But my ISP updated apache and the code in my .htacess stop working and the whole site displayed error 500.
Im trying to protect wp-login.php of wordpress to add an aditional layer of protection in case of a brute force attack.
I have looked for a solution but I havent found a soluction yet.
Any help will be greatly appreciated
Ive found the solution
<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</FilesMatch>
http://www.inmotionhosting.com/support/website/wordpress/prevent-unauthorized-wp-admin-wp-login-php-attempts
The WordPress article Hardening WordPress suggests that the following can be used in .htaccess to deny access to anyone surfing for wp-config.php:
<files wp-config.php>
order allow,deny
deny from all
</files>
My question: considering my file permissions for wp-config.php are set at 0600, why is adding this code necessary?
How can I password protect development Wordpress site complete from search engines and humans using htaccess.
Also can you specify in which folder I need to keep .htaccess file in wordpress to complete block it.
I tried it with following htacess file but after logging in only homepage showsup and other pages don't work.
SetEnvIf Host dev.test.com passreq
AuthType Basic
AuthName "restricted area"
AuthUserFile /home/user/dev.test.com/wp-content/themes/theme_name/.htpasswd
Require valid-user
Order allow,deny
allow from all
Deny from env=passreq
Satisfy any
What am I doing wrong? Currently I am keeping .htaccess file in *wp-content/theme/theme_name/.htaccess*
You should put your file in your Webroot to completely password protect it. Putting it under *wp-content/theme/theme_name will only protected files served from this directory