How to restrict access to web page by user - wordpress

I want to prevent the access to the entire page, the page is on the cloud becuase it is on development, im working with SEO on the page and start appearing on google.
The page is not prepared to all people and i need to restrict the access by a simple user / pass floating form.
I see one example in the past but dont remember how exactly what i must do.
I remember that in htaccess i must write some line asking for the user / pass, and that lines link to a file on server that have the data. Can be something like that?
And can i do this on a Wordprees installation?
Thanks in advance.

Here is a link to use for .htaccess and .htpasswd files.
Generates the necessary files for you to place on your server
There is a FAQ there as well.

Create a Apache password file e.g. /path/to/passwords
Put this code in your .htaccess:
## password secure only sub.domain.com
SetEnvIfNoCase Host ^sub\.domain\.com$ SECURED
AuthType Basic
AuthName "My Protected Area"
AuthUserFile /path/to/passwords
Require valid-user
Satisfy any
Order allow,deny
Allow from all
Deny from env=SECURED

The easiest answer within a WordPress site would be:
1) Go to Settings/Privacy and set the site as Ask search engines not to index this site. This will (source: Codex: Privacy Settings explained:
Causes <meta name='robots' content='noindex,nofollow' /> to be
generated into the section (if wp_head is used) of your
site's source, causing search engine spiders to ignore your site.
Causes hits to robots.txt to send back: User-agent: * Disallow: /
Note: The above only works if WordPress is installed in the site root
and no robots.txt exists.
Stops pings to ping-o-matic and any other RPC ping services(...)
Hides the Update Services option entirely on the Administration > Settings > Writing Screen with the message "WordPress is not notifying any Update Services because of your blog's privacy settings."
You should test if this is working, using for example Google Webmaster Tools
2) Add one of those plugins: Private Only, Registered Only or similar. They will prompt the login form to any visitor trying to see the site.
Then, you are ready to work online without worrying about site visibility. Just remember to undo those changes, specially step 1. It could get you mad later if you forgot that. It will undermine all of your SEO efforts.
There are also some nice plugins to set a 'Coming Soon' page and still be able to work on the theme that shows the 'coming soon' only for user that are not logged in.
Best regards!

Related

WP-admin does not redirect to login page

If I browse to my wordpress wp-admin directory, I recall that I used to get redirected to the login page if I was not already logged in. Now I get the standard wordpress page not found error. I'm not aware of changing any configuration that would alter this behavior. Are there things that could have been done to stop the auto redirection from occurring? Or something I need to re-enable or reverse to get that behaviour back?
Yes, generally it is a practice used for security reasons, because you see if I know that you are using Wordpress then I can easily guess all your URLs, login URL, Admin URL, Register URL, etc...
There are some plugins that would do that for you, IThemes is an example.
Themes Security hides common WordPress security vulnerabilities,
preventing attackers from learning too much about your site and away
from sensitive areas like your site’s login, admin, etc.
Changes the URLs for WordPress dashboard areas including login, admin
and more
So the short answer is, yes you can configure it one way or another.
To Undo it, configure it again

Chrome pop up instead of login page after wordpress installation

So I installed wordpress (in a subfolder if it matters). After the installation I want to log in to my admin page (by going to /wp-login.php).
Instead of the login page, as I would expect it, I get the Chrome login pop-up. The login data with which I installed Wordpress does not work.
As you correctly surmised, this is not the Wordpress login screen.
This login is popping up because password protection is set up on the folder that you installed Wordpress in.
It depends on your server setup, but most likely this is being controlled from a file on your server called .htaccess. You will probably find it inside the subfolder you installed in, or possibly in the root folder of the site.
If you open that file and look for lines similar to the following, removing them will remove the password protection, and let you log in to Wordpress as usual.
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
Although - you might want to find out who added it there and why they added it, before removing it!
add below code in .htaccess file
Satisfy Any
I inquired the server admin and he suggested that I use wpadmin as an username and password. It worked. After I did that I got the normal Wordpress user page. The password is set by the admin to prevent brute-force attacks. If one has the same problem, just ask your admin for password (mine was wpadmin). #Tim Malone

Only a wordpress group of user can access to a folder using .htaccess

I don't know a lot about .htaccess.
I have a web with Wordpress and I made a part private only for subscribers. I have installed a couple of Wordpress plugins to control the access to that page. The problem is that the "private" page links to a folder where I have a lot of .html pages. That is the folder I want to protect. I have used the http_refered in the .htaccess but I know it is very easy to hack it.
Is there any way to write in the .htaccess file a command that check the Wordpress user file and see if the user belongs to the "suscriber" group?
I suggest to protect the private page with password (this is common feature in Wordpress) and do not mess with the .htaccess file.
Anyhow, the is no way to tell the Apache (because the .htaccess is applied from it) that this or that user is registered or approved user. This can be done on different level - PHP and/or Wordpress logic.

Secure uploaded files in Wordpress

I have site based on Wordpress. Only logged user can see posts, sites, and files (I use s2member plugin).
I have problem with disabling access to files for unlogged user.
I upload files, attach it to post. Only logged user can see post and attachements.
The problem is that unlogged user can download files directly (e.g. http://my-site.pl/files/secret_file.pdf).
How can I prevent this, some plugin, .htaccess?
My site is on shared hosting i have access only via ftp.
There are potential solutions, but none stands out in practice -- each has its own set of thorns.
There are commercial plugins that implement access restriction on part or all of your WP site. Some allow to restrict files, some don't. Amember is one of the more established players in that arena. (I cannot recommend their offer, however. Amongst other problems I ran into, it didn't play well on a multi-server setup.) There probably are some free plugins that do the same since I last checked.
If you decide to code something yourself, there are multitudes of options. Three of them include:
Serving the file using php instead of Apache, and requiring the user to be logged in before serving the file. It works. And it's relatively easy to set up if you decide to be sloppy. It's not so easy if you want to set it up correctly: think partial files that need to be resumed, etc.
Conditionally serving the file using Apache. In essence, you create a user-specific file in a token folder, and you store the name of that file as a cookie when the user log in. Then, have Apache rewrite rules deny access if the corresponding file isn't present in the token folder. This is not easy to set up
Not restricting files at all and leaving things the way they are at the moment: a link to a publicly available file that only members can see. The rational here is that no matter how well you restrict access to your pdf, it'll end up on a torrent site or a download site somewhere if a disgruntled user decides to share it.
Use this in .htacces. this allow user to download or view only .gif, .jpg,.jpeg,.png and .bmp files.
if you don't want to allow this then remove the line "Allow from env=let_me_in"
I hope this will work.
# BEGIN WordPress
<IfModule mod_rewrite.c>
# If the URI is an image then we allow accesses
SetEnvIfNoCase Request_URI "\.(gif|jpe?g|png|bmp)$" let_me_in
Order Deny,Allow
Deny from All
# Allow accesses only if an images was requested
Allow from env=let_me_in
</IfModule>
# END WordPress

Wordpress Setting Custom URLs for login. Not Possible?

I am not an expert for mod_rewrite, so I need a big time help. Here is the scenario:
Domain Name: www.example.com
Points To: /www/public_html/
I have a wordpress installation at:
/www/public_html/subfolder/
Now I have two htaccess files, lets call them .h1 and .h2 . I have managed upto now to do this:
When user types www.example.com they are taken to the wordpress homepage in the subdirectory (sweet). In fact everything is hunky-dory besides:
MAIN PROBLEM:
I want to create a custom login URL, say : www.example.com/mylogin
I am able to do the following by setting the following in my .h2
RewriteRule ^mylogin$ wp-login.php
But when I use this URL, it taken me to the login screen but the url in the browser changes to http://example.com/subfolder/wp-login.php
I want the URL that is displayed when the login screen is presented to stay the same as before i.e. http://example.com/mylogin
More precisely, no subfolder name and no wp-login should be displayed. How do I achieve this? Any help would be appreciated.
Your solution doesn’t hide the default login url. It only adds an easier to remember url which redirects to the default url /wp-login.
Without the need for coding you can easily install the plugin Custom Login and Admin URL’s that fixes this weakness.
Caution: This plugin have been tested on a new installation of WordPress and it worked fine. However, most free plugins are unsupported which means they sometimes conflict with other plugins depending on what you have installed. If you have any issues, login to cPanel or FTP and delete the plugin or contact your web hosting provider.
Another Security plugin for WordPress which you may want to take a look at is named Better WP Security. This WordPress plugin offers security settings for WordPress login, registration and admin pages as well as many other anti hacking features to protect your site.

Resources