Password protect download directly in wordpress - wordpress

I'm trying to password protect a directory in wordpress in my cpanel and it's not working, wordpress keeps picking up the URLs and writing to it's own software. How can I get around this?
Even if I put my files in /wp-content/uploads/downloads/ it's still not recognizing them as downloadable, it forwards to a wordpress 404 error

1) create a .htaccess file in the directory you want to hide with this content:
AuthUserFile /www/path/to/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Confidential Information"
AuthType Basic
require user admin
then create a .htpasswd file with this content:
admin:password
and then only user 'admin' with password 'password' should be able to access directory.
or..
2) if you just move it below than the public HTML root folder then you don't have to worry about password protecting it - nobody can access it without direct server access

Create a .htaccess file in your downloads directory:
AuthUserFile /path/to/file/.htpasswd
AuthGroupFile /dev/null
AuthName "Confidential Information"
AuthType Basic
require valid-user
Create a htpasswd file (outside your web root) like so:
htpasswd -bc /path/to/file/.htpasswd admin password

Related

Exclude subdirectories in htaccess / Ask for different credentials in subdirectories / Stop infinite loop of authentication

I want to have htaccess ask for password on my entire site. However one subdirectory (folder1, which has WordPresss installed) should ask for a different login information (userY).
When I remove the auth thing from htaccess in the main folder everything works perfectly fine, but when I have it added I am being infinitely asked for user authentication when I am doing anything in folder1/WordPress.
My directories look something like this:
- folder1
-- wp-admin
-- wp-content
-- wp-includes
-- .htaccess
-- other wp php stuff
- folder2
- folder3
- index.html
- .htaccess
- .htpasswd
My .htaccess for main folder looks like this:
AuthUserFile /home/sites/www.website.at/web/.htpasswd
AuthName Admin
AuthType Basic
Require user userX
AuthGroupFile /home/sites/www.website.at/web/.group
My .htaccess in folder1 looks like this:
AuthUserFile /home/sites/www.website.at/web/.htpasswd
AuthName Admin
AuthType Basic
Require user userY
AuthGroupFile /home/sites/www.website.at/web/.group
I expect it to ask for UserX in folder2, folder3 and main folder (This part works). I expect it to ask for UserY in folder1, but without giving me an endless loop for authentication.
ChatGPT solved the question.
The AuthGroupFile /home/sites/www.website.at/web/.group which my Provider automatically added to the .htaccess was not necessary, because I didn't use groups. Because I didn't use groups, there was no .group file.

Password Protect Wordpress Plugin Directory without htaccess

Does anyone know how to password protect a directory in a Wordpress plugin folder WITHOUT .htaccess?
Apparently WPEngine no longer lets you put htaccess files in the directory - it's been depreciated for some reason.
This would seem to be a loaded question... just because you can't use .htaccess in the directory you want to protect, doesn't necessarily mean you can't use the main .htaccess file in the root.
On Apache 2.4 you can use an Apache <If> expression to limit the HTTP Authentication directives to just that directory.
For example:
<If "%{REQUEST_URI} =~ m#^/wp-content/plugins/#">
AuthType Basic
AuthName "Private Area"
AuthUserFile "/private/path/outside/document-root/.htpasswd-wp-content-plugins"
Require valid-user
</If>

Allow Timthumb to work in a htpasswd protected Wordpress

I have a domain I use for development purposes. In this domain I have several subdirectories with different wordpress installations.
To hide the whole area I made a simple htpasswd protection in the root.
Now I have one of this Wordpress in the domain that uses timthumb library to resize images, and due to the htpasswd, I get "NetworkError: 400 Bad Request" instead of the image.
This is an example of the request that gets the error
http://subdomain.domain.com/WP/wp-content/plugins/plugin-directory/timthumb.php?src=http%3A%2F%2Fsubdomain.domain.com%2FWP%2Fwp-content%2Fuploads%2F2015%2F01%2F012015_valentines_hp_budvase.jpg&w=300&h=620&zc=1
Is there a way to bypass the protection only for that file?
More details on my paths to better read my .htaccess snippets:
I'm in a subdomain pointed to a subdirectory called 'subdomain_folder'
.htaccess I'm working on is located in 'subdomain_folder'
WP is in a subdirectory called 'WP' inside 'subdomain_folder'
Complete Path to WP: '/home/some-folder/public_html/subdomain_folder/WP
Complete Path to Uploads: '/home/some-folder/public_html/subdomain_folder/WP/wp-content/uploads
I tried this:
SetEnvIf Request_URI "^/WP/wp-content/plugins/plugin-dir/timthumb\.php$" allow
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/home/some-folder/.htpasswds/public_html/subdomain_folder/passwd"
Require valid-user
Order allow,deny
Allow from env=allow
Satisfy any
UPDATE
Someone adviced me that allowing access to timthumb.php file it's pointless, instead I should allow him to make http requests, or allow full access to uploads folders so, I tried the following, allowing requests from localhost ip
AuthType Basic
AuthName "Reserverd Area"
AuthUserFile "/home/some-folder/.htpasswds/public_html/subdomain_folder/passwd"
Require valid-user
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Satisfy Any
Tried both localhost and 127.0.0.1
I even tried to add another .htaccess in the single WP upload folder (where timthumb asks for images) with rule to allow from any
Satisfy Any
Order Allow,Deny
Allow from all
Still I cant' get images shown, and I keep getting the NetworkError: 400 Bad Request" instead of the image.
Last Detail, the .htaccess in the WP directory is a standard wp htaccess --> pastebin.com/8PRqEYQ2
I Found the solution.
The right way is indeed allowing requests from the server itself, but the localhost IP (127.0.0.1) was not the right adress to allow.
I made a Reverse IP Lookup searching for the domain I'm on, and I used that IP.
This is the .htaccess that works
RewriteEngine On
<IfModule mod_authn_file.c>
AuthName "Restricted Area"
AuthUserFile "/home/path-to-passfile/passwd"
AuthType Basic
Require valid-user
Order Deny,Allow
Deny from all
# Use your server ip:
Allow from 111.111.111.11
Satisfy Any
</IfModule>
With this rules I can develop apps using timthumb.php in .htpasswd protected directory.
Criticisms and improvements are welcome :)

Password protect wp admin folder : redirecting issue

Whenever I try to protect wp-admin directory using a password, .htaccess file is created inside wp-admin folder. But when I navigate to the wp-admin folder via browser it gives below error. Also i have noted when i rename or delete the htaccess file within wp-admin folder then browser is able to navigate to wp-admin folder.
What can i do to protect wp-admin folder and at the same time access the wp-admin folder via browser ?
http://abc.com/wp-admin/
htaccess within wp-admin folder looks like below
AuthName "Authorised Users"
AuthUserFile "/home/abc/.htpasswds/public_html/wp-admin/passwd"
AuthType Basic
require valid-user
you can write following code into htaccess
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/pathto_htpasswd/.htpasswd
AuthGroupFile /dev/null
require valid-user
and below into htpasswd
username:encrypted_password
OR you can use plugin
I had similar issues when adding password protection to the wp-admin directory. In addition to the code that you already added, try adding the following 2 lines to the top of your .htaccess file:
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
Note that while you might have protected your wp-admin directory, you have not protected your wp-login.php file, you you are still vulnerable to a brute force attack. So you will also want to edit the .htaccess file at the root of your site and enclose the same code within FilesMatch tags. So it would look something like this:
<FilesMatch "wp-login.php">
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "Authorised Users"
AuthUserFile "/home/abc/.htpasswds/public_html/wp-admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>

Protect Development Wordpress site using htaccess

How can I password protect development Wordpress site complete from search engines and humans using htaccess.
Also can you specify in which folder I need to keep .htaccess file in wordpress to complete block it.
I tried it with following htacess file but after logging in only homepage showsup and other pages don't work.
SetEnvIf Host dev.test.com passreq
AuthType Basic
AuthName "restricted area"
AuthUserFile /home/user/dev.test.com/wp-content/themes/theme_name/.htpasswd
Require valid-user
Order allow,deny
allow from all
Deny from env=passreq
Satisfy any
What am I doing wrong? Currently I am keeping .htaccess file in *wp-content/theme/theme_name/.htaccess*
You should put your file in your Webroot to completely password protect it. Putting it under *wp-content/theme/theme_name will only protected files served from this directory

Resources