Apache authentication inside a WordPress install

Question

I am currently running into an issue with trying to password protect a directory that is sitting inside a directory that's running WordPress. This is for a directory called "admin" that handles a few things outside of WP.

In my WordPress .htaccess file, I have set a rule to ignore this directory.

RewriteEngine On
RewriteBase /
RewriteRule ^(admin|index\.php)$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

When I go to my admin directory, it works just fine and I'm able to see what I should be seeing (basic PHP stuff).

However, when I try and password protect that directory by putting an .htaccess and .htpassword file in there, I get a WordPress 404 error. This is what it looks like:

AuthUserFile /home/myuser/public_html/admin/.htpasswd
AuthName "Password Protected Area"
AuthType Basic

<limit GET POST>
require valid-user
</limit>

It (obviously) has something to do with the "require valid-user" line. This particular .htaccess/.htpasswd file worked just fine on a similar server set up.

Any thoughts?

Answer 1

Old question, but...

RewriteRule ^(admin|index\.php)$ - [L]

This directive only "ignores" the URL /admin (no trailing slash). So, it won't exclude requests for files inside the /admin subdirectory, or even the /admin directory itself, since mod_dir will append a slash by default via a 301 redirect, ie. /admin/. (On Apache 2.2, it's also likely that mod_dir is issueing an internal subrequest for the directory index, before mod_rewrite is able to process the URL. This behaviour reversed with Apache 2.4)

The mod_rewrite directives in the parent .htaccess will then rewrite the request through WordPress. (Although you would expect any requests for physical directories/files to be ignored anyway?)

You would need to change this directive to something like the following instead:

RewriteRule ^(admin|index\.php$) - [L]

ie. Just move the $ (end-of-string anchor) inside the parentheses. Or, create two separate directives.

Alternatively, you could simply enable (or disable) the rewrite engine inside the /admin/.htaccess file, in order to override the mod_rewrite directives (WordPress front-controller) in the parent .htaccess file:

RewriteEngine Off

mod_rewrite directives are not inherited by default, so simply enabling (or disabling) the rewrite engine in a child config is enough to override the parent.

Answer 2

Try closing your browser and then trying to connect. You may have cached credentials that are being used.

If you have multiple secured directories with different passwords, use different values for the Authname.

EDIT: Try moving the Require outside the Limit statement. I always group the Auth definitions with the Require statement in the same block.

Your error seems to indicate the requested resource does not exist or is not readable. Try removing your rewrite modifications for admin. The standard rewrite rules work well with directories and files mixed into the Wordpress installation.

You may want to use a LimitExcept block instead of a Limit block to prevent access other than GET or POST. This is my working .htaccess file.

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/wordpress/htpasswd
Require Valid-User
<LimitExcept GET POST>
    Order allow,deny
    Deny from all
</LimitExcept>

Make sure the .ht* files are readable by the web server. I test unauthorized access by changing the user id in the htpasswd file to one I haven't used.