Question

Here is a brief synopsis of my problem: I added password protection to the WordPress wp-admin directory of a website that is not located in the root directory, but now the entire site asks for username and pawword authentication, not just the wp-admin directory/WordPress login page. I want to password protect the WordPress wp-admin directory and wp-login.php page, but I don't want every other page to prompt for userid and password. Now some details (apologies for this being so long)...

I have a shared hosting account where I host several WordPress websites all under the same account. At the root directory (public_html) is my own website, and then there are several other websites in their own sub-directories. Recently, I added password protection to the wp-admin directory and wp-login.php file for each site.

So the file structure looks like this:

my-site
    site-1
        wp-admin
    site-2
        wp-admin
    wp-admin  /* this is the wp-admin directory for my site */

I added the following to the .htaccess file in my site's wp-admin directory, and this works OK - it adds password protection to the wp-admin directory of my site as expected.

ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "MySiteUser"
AuthUserFile "/home/my-site/.htpasswds/public_html/wp-admin/passwd"
AuthType Basic
require valid-user

Then I added the following code to the .htaccess file in the root directory of my site:

<FilesMatch "wp-login.php">
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "MySiteUser"
AuthUserFile "/home/my-site/.htpasswds/public_html/wp-admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>

This also works as expected - it adds password protection to the wp-login.php page of my site as expected. So far, so good.

The problems begin when I add password protection to the other sites that are not in the root directory. This is pretty much identical to what I added to my site, except for the additional directory level in the AuthUserFile statement. For example, I add the following to the .htaccess file in my site-1's wp-admin directory:

ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "Site1User"
AuthUserFile "/home/my-site/.htpasswds/public_html/site1.com/wp-admin/passwd"
AuthType Basic
require valid-user

I also added the same code wrapped in FilesMatch tags to the .htaccess in site-1's root directory.

<FilesMatch "wp-login.php">
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
AuthName "Site1User"
AuthUserFile "/home/my-site/.htpasswds/public_html/site1.com/wp-admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>

This does password protect the wp-admin directory and wp-login.php page, but now every page on site-1 asks for authentication. The page renders OK, but a pop-up window asks for user name and password. If I hit cancel, the dialog is closed and I can see the page like normal; when I refresh the page or go to another page, I'm asked for authentication again. On the other hand, if I hit OK, then the authentication dialog does not reappear; but then I can no longer access the wp-admin directory or wp-login page (I get a "The page isn't redirecting properly" message).

I suspect that somewhere there is a rewrite rule that is causing this to happen, but I don't see what it is. Here is the entire .htaccess from the root of my site:

ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
# BEGIN W3TC Browser Cache
<IfModule mod_deflate.c>
    <IfModule mod_headers.c>
        Header append Vary User-Agent env=!dont-vary
    </IfModule>
        AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
    <IfModule mod_mime.c>
        # DEFLATE by extension
        AddOutputFilter DEFLATE js css htm html xml
    </IfModule>
</IfModule>
# END W3TC Browser Cache
# BEGIN W3TC Page Cache core
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTP:Accept-Encoding} gzip
    RewriteRule .* - [E=W3TC_ENC:_gzip]
    RewriteCond %{REQUEST_METHOD} !=POST
    RewriteCond %{QUERY_STRING} =""
    RewriteCond %{REQUEST_URI} \/$
    RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|w3tc_logged_out|wordpress_logged_in|wptouch_switch_toggle) [NC]
    RewriteCond "%{DOCUMENT_ROOT}/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index.html%{ENV:W3TC_ENC}" -f
    RewriteRule .* "/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index.html%{ENV:W3TC_ENC}" [L]
</IfModule>
# END W3TC Page Cache core
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
<FilesMatch "wp-login.php">
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "MySiteUser"
AuthUserFile "/home/my-site/.htpasswds/public_html/wp-admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>

And here is the entire .htaccess from site-1's root directory:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
<FilesMatch "wp-login.php">
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "Site1User"
AuthUserFile "/home/my-site/.htpasswds/public_html/site1.com/wp-admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>

I have changed the names of the sites in the code above, and I did not include the all of the rules in the .htaccess files, but I have removed the other stuff without fixing the problem, so I'm pretty sure I've given you all that is relevant. I can send you the actual files and real links privately if you want them.

Était-ce utile?

La solution

The problem with getting password prompts when not accessing wp-admin persisted even after moving site to root! So the issue was not that it was on a parked domain.

Found solution on updated InMotionHosting page: http://www.inmotionhosting.com/support/website/wordpress/prevent-unauthorized-wp-admin-wp-login-php-attempts#allow-admin-ajax

Solution is to add the following rules to the .htaccess file located in the wp-admin directory:

# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Full .htaccess file now looks like this:

ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

# Allow plugin access to admin-ajax.php around password protection
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

AuthName "MySiteUser"
AuthUserFile "/home/my-site/.htpasswds/public_html/wp-admin/passwd"
AuthType Basic
require valid-user
Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top