Im trying to secure my wordpress site behind htaccess but seem to be getting a fail.
HTML
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile www.sample.com/.htpasswd
Require valid-user
Any ideas?
The AuthUserFile value is always specific to your hosting configuration. If you don't know what the value should be, do a phpinfo() and find the DOCUMENT_ROOT value.
It should be sth like that:
AuthUserFile /home/YOUR_NAME_ETC/.htpasswd
Related
We're all familiar with this setup for protecting the wp-login.php file by now.
<Files wp-login.php>
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /<some-path>/.htpasswd
Require valid-user
ErrorDocument 401 "Authorization Required"
</Files>
That works great.
But I also have another login in a shortcode (partial code below) ...
wp_login_form( array( 'echo' => false, 'remember' => false, 'value_remember' => false ) );
... that I use on a different page - lets call it:
https://somesite.com/otherloginpage/
Is there any way I can have /otherloginpage/ skip the .htaccess login?
I previously found this here:
https://www.askapache.com/htaccess/
## ALLOW ACCESS WITH PASSWORD OR NO PASSWORD FOR SPECIFIC IP/HOSTS
AuthType basic
AuthName "Ooops! Temporarily Under Construction..."
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
Require valid-user # password prompt for everyone else
Order Deny,Allow
Deny from all
Allow from 192.168.64.5 # Your, the developers IP address
Allow from w3.org # css/xhtml check jigsaw.w3.org/css-validator/
Allow from googlebot.com # Allows google to crawl your pages
Satisfy Any # no password required if host/ip is Allowed
But it doesn't work for exactly what I want to do. I believe I need to set a referrer somehow rather than a domain/IP.
Also, can this be added to within the <files> section? It seems to cause errors at the Order Deny,Allow line.
Any ideas on how to get a referring URL into some logic to skip the .htaccess login requirements?
I found a solution thanks to Reddit
<Files wp-login.php>
<If "!(%{HTTP_REFERER} -strmatch 'https://url.com/page/')">
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/.htpasswd
Require valid-user
ErrorDocument 401 "Authorization Required"
</If>
</Files>
https://httpd.apache.org/docs/2.4/mod/core.html#if
I used to protect files in olders versions of apache with this code in the folderĀ“s .htaccess file:
AuthUserFile /home/folder/.htpasswds/.htpasswd
AuthName "Password Protected Area"
AuthType basic
<Files "wp-login.php">
require user superadmin
</Files>
With my .htpasswd being like this:
admin:EBbqCq1YlLHSQ
superAdmin:PrlugFjcTaqlg
But my ISP updated apache and the code in my .htacess stop working and the whole site displayed error 500.
Im trying to protect wp-login.php of wordpress to add an aditional layer of protection in case of a brute force attack.
I have looked for a solution but I havent found a soluction yet.
Any help will be greatly appreciated
Ive found the solution
<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/example/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</FilesMatch>
http://www.inmotionhosting.com/support/website/wordpress/prevent-unauthorized-wp-admin-wp-login-php-attempts
I am trying to password protect the wp-login.php file in Wordpress but getting errors.
This is the code that I am adding to the main .htaccess file (obviously the path to the passwd file is correct).
# Protect wp-login
<Files wp-login.php>
AuthUserFile "/path/to/my/passwd"
AuthName "Private access"
AuthType Basic
require valid-user
</Files>
All works well if Permalinks are off. If I switch off Wordpress Permalinks, then when accessing site.com/wp-login.php redirects in infinite loop and request goes in timeout with the page never displaying.
If I switch on the Permalinks, Worpress adds the directives just after the above block of code that I have posted.
What can be causing this and how can I get this security measure to work along side permalinks?
ErrorDocument 401 default
as explained here this was missing from the .htaccess file
Whenever I try to protect wp-admin directory using a password, .htaccess file is created inside wp-admin folder. But when I navigate to the wp-admin folder via browser it gives below error. Also i have noted when i rename or delete the htaccess file within wp-admin folder then browser is able to navigate to wp-admin folder.
What can i do to protect wp-admin folder and at the same time access the wp-admin folder via browser ?
http://abc.com/wp-admin/
htaccess within wp-admin folder looks like below
AuthName "Authorised Users"
AuthUserFile "/home/abc/.htpasswds/public_html/wp-admin/passwd"
AuthType Basic
require valid-user
you can write following code into htaccess
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/pathto_htpasswd/.htpasswd
AuthGroupFile /dev/null
require valid-user
and below into htpasswd
username:encrypted_password
OR you can use plugin
I had similar issues when adding password protection to the wp-admin directory. In addition to the code that you already added, try adding the following 2 lines to the top of your .htaccess file:
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
Note that while you might have protected your wp-admin directory, you have not protected your wp-login.php file, you you are still vulnerable to a brute force attack. So you will also want to edit the .htaccess file at the root of your site and enclose the same code within FilesMatch tags. So it would look something like this:
<FilesMatch "wp-login.php">
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "Authorised Users"
AuthUserFile "/home/abc/.htpasswds/public_html/wp-admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>
How can I password protect development Wordpress site complete from search engines and humans using htaccess.
Also can you specify in which folder I need to keep .htaccess file in wordpress to complete block it.
I tried it with following htacess file but after logging in only homepage showsup and other pages don't work.
SetEnvIf Host dev.test.com passreq
AuthType Basic
AuthName "restricted area"
AuthUserFile /home/user/dev.test.com/wp-content/themes/theme_name/.htpasswd
Require valid-user
Order allow,deny
allow from all
Deny from env=passreq
Satisfy any
What am I doing wrong? Currently I am keeping .htaccess file in *wp-content/theme/theme_name/.htaccess*
You should put your file in your Webroot to completely password protect it. Putting it under *wp-content/theme/theme_name will only protected files served from this directory