0

I fired up a server on vultr and chose wordpress. It setup htpasswd on the admin login. How can I remove that?

Here is the only .htaccess file I can find:

# Only allow direct access to specific Web-available files.

# Apache 2.2
<IfModule !mod_authz_core.c>
        Order Deny,Allow
        Deny from all
</IfModule>

# Apache 2.4
<IfModule mod_authz_core.c>
        Require all denied
</IfModule>

# Akismet CSS and JS
<FilesMatch "^(form\.js|akismet\.js|akismet\.css)$">
        <IfModule !mod_authz_core.c>
                Allow from all
        </IfModule>

        <IfModule mod_authz_core.c>
                Require all granted
        </IfModule>
</FilesMatch>

# Akismet images
<FilesMatch "^logo-full-2x\.png$">
        <IfModule !mod_authz_core.c>
                Allow from all
        </IfModule>

        <IfModule mod_authz_core.c>
                Require all granted
        </IfModule>
</FilesMatch>

I found this too. Not sure if it is helpful:

vim default.conf 

    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}
webmagnets
  • 137
  • 1
  • 7
  • Login to the server and remove it. – Orphans Nov 07 '16 at 08:24
  • I tried that, but since I didn't put it there I can't find it. – webmagnets Nov 07 '16 at 10:49
  • So this question was asked 3 years ago and it was downvoted, I had to reset it because now, 2019, I was still facing this issue, so this question IS relevant. I found the solution with @webmagnets's edits, so just for future reference. – DARKGuy Dec 30 '19 at 20:39

3 Answers3

2

I found the culprits here:

/etc/nginx/conf.d/wordpress_http.conf and /etc/nginx/conf.d/wordpress_https.conf

I commented out these lines:

#               auth_basic "Restricted";
#               auth_basic_user_file /etc/nginx/htpasswd/wpadmin;
#
#               location ~* \.(htaccess|htpasswd) {
#                       deny all;
#               }
webmagnets
  • 137
  • 1
  • 7
1

As Orphans suggests, you do basically just "remove it". You need to remove the relevant code from the .htaccess file (probably in the protected directory), or delete the file altogether if that is the only code in it (although this being WordPress it's quite probable that there are WP specific directives there as well).

The code in .htaccess will also reference a .htpasswd file (possibly in the same directory, but not necessarily). That file should also be removed. Assuming the same file is not being used to protect other directories?

MrWhite
  • 11,643
  • 4
  • 25
  • 40
  • I tried ```find / -name ".htaccess" -print``` and got ```/var/www/html/wp-content/plugins/akismet/.htaccess```. I added the contents of that file to my original question. – webmagnets Nov 07 '16 at 10:52
  • Well, there doesn't appear to be anything to do with HTTP Authentication in that `.htaccess` file. This could also be enabled in the server config / VirtualHost. Can you find a `.htpasswd` file anywhere? – MrWhite Nov 07 '16 at 11:17
  • ```find / -name ".htpasswd" -print``` doesn't find anything. – webmagnets Nov 07 '16 at 11:43
  • How do I find the config file with the AuthUserFile directive? – webmagnets Nov 07 '16 at 14:16
  • It's either in the main server config file, in a VirtualHost container (which could also be in the main server config, or a separate file that is _included), or in a `.htaccess` file _anywhere_ along the file system path that is being requested (`.htaccess` files work on physical directories, not URLs). Then again, this might be entirely script (PHP) generated and there is no `AuthUserFile`!? Just to clarify, this HTTP Authentication is appearing _before_ the normal WordPress login page? – MrWhite Nov 07 '16 at 14:33
  • Yes. Before the login page. – webmagnets Nov 07 '16 at 14:47
  • I added more to my question above. – webmagnets Nov 07 '16 at 14:54
  • Dang, this is an Nginx server?! (Ah, just seen your tag.) Kind of thrown by your references to `.htaccess` (and `htpasswd`) - which is an Apache feature. (?!) – MrWhite Nov 07 '16 at 15:44
  • Oh, I see. You got me going in the right direction. Thanks. – webmagnets Nov 07 '16 at 16:21
0

Just remove .htpasswd file, it will disable automatically

Sukhjinder Singh
  • 1,944
  • 2
  • 8
  • 17
  • find / -name ".htpasswd" -print doesn't find anything. – webmagnets Nov 07 '16 at 11:43
  • .htpasswd file is hidden by default just type > rm -rf .htpasswd (remain in the folder where this file exist actually) – Sukhjinder Singh Nov 07 '16 at 11:48
  • ```find / -name ".htaccess" -print``` found that hidden file. Why wouldn't it find .htpasswd? – webmagnets Nov 07 '16 at 12:12
  • ls -ld .?* This will help you to find .htpasswd – Sukhjinder Singh Nov 07 '16 at 12:23
  • I don't know what directory it is in. – webmagnets Nov 07 '16 at 12:25
  • It will be in root directory of your site, where you kept files of your site – Sukhjinder Singh Nov 07 '16 at 12:27
  • The password file is not necessarily called `.htpasswd` - that is just a convention, and neither is it likely to be in the root directory (at least it shouldn't be). The file is whatever is stated in the `AuthUserFile` directive in your config file. Also, deleting the password file won't remove the HTTP Authentication - you'll still get prompted for a username/password which will now fail, and most probably followed by a 500 Internal Server Error. – MrWhite Nov 07 '16 at 13:14