Here is a brief synopsis of my problem: I added password protection to the WordPress wp-admin directory of a website that is not located in the root directory, but now the entire site asks for username and pawword authentication, not just the wp-admin directory/WordPress login page. I want to password protect the WordPress wp-admin directory and wp-login.php page, but I don't want every other page to prompt for userid and password. Now some details (apologies for this being so long)...
I have a shared hosting account where I host several WordPress websites all under the same account. At the root directory (public_html) is my own website, and then there are several other websites in their own sub-directories. Recently, I added password protection to the wp-admin directory and wp-login.php file for each site.
So the file structure looks like this:
my-site
site-1
wp-admin
site-2
wp-admin
wp-admin /* this is the wp-admin directory for my site */
I added the following to the .htaccess file in my site's wp-admin directory, and this works OK - it adds password protection to the wp-admin directory of my site as expected.
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "MySiteUser"
AuthUserFile "/home/my-site/.htpasswds/public_html/wp-admin/passwd"
AuthType Basic
require valid-user
Then I added the following code to the .htaccess file in the root directory of my site:
<FilesMatch "wp-login.php">
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "MySiteUser"
AuthUserFile "/home/my-site/.htpasswds/public_html/wp-admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>
This also works as expected - it adds password protection to the wp-login.php page of my site as expected. So far, so good.
The problems begin when I add password protection to the other sites that are not in the root directory. This is pretty much identical to what I added to my site, except for the additional directory level in the AuthUserFile statement. For example, I add the following to the .htaccess file in my site-1's wp-admin directory:
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "Site1User"
AuthUserFile "/home/my-site/.htpasswds/public_html/site1.com/wp-admin/passwd"
AuthType Basic
require valid-user
I also added the same code wrapped in FilesMatch tags to the .htaccess in site-1's root directory.
<FilesMatch "wp-login.php">
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
AuthName "Site1User"
AuthUserFile "/home/my-site/.htpasswds/public_html/site1.com/wp-admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>
This does password protect the wp-admin directory and wp-login.php page, but now every page on site-1 asks for authentication. The page renders OK, but a pop-up window asks for user name and password. If I hit cancel, the dialog is closed and I can see the page like normal; when I refresh the page or go to another page, I'm asked for authentication again. On the other hand, if I hit OK, then the authentication dialog does not reappear; but then I can no longer access the wp-admin directory or wp-login page (I get a "The page isn't redirecting properly" message).
I suspect that somewhere there is a rewrite rule that is causing this to happen, but I don't see what it is. Here is the entire .htaccess from the root of my site:
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
# BEGIN W3TC Browser Cache
<IfModule mod_deflate.c>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json
<IfModule mod_mime.c>
# DEFLATE by extension
AddOutputFilter DEFLATE js css htm html xml
</IfModule>
</IfModule>
# END W3TC Browser Cache
# BEGIN W3TC Page Cache core
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP:Accept-Encoding} gzip
RewriteRule .* - [E=W3TC_ENC:_gzip]
RewriteCond %{REQUEST_METHOD} !=POST
RewriteCond %{QUERY_STRING} =""
RewriteCond %{REQUEST_URI} \/$
RewriteCond %{HTTP_COOKIE} !(comment_author|wp\-postpass|w3tc_logged_out|wordpress_logged_in|wptouch_switch_toggle) [NC]
RewriteCond "%{DOCUMENT_ROOT}/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index.html%{ENV:W3TC_ENC}" -f
RewriteRule .* "/wp-content/cache/page_enhanced/%{HTTP_HOST}/%{REQUEST_URI}/_index.html%{ENV:W3TC_ENC}" [L]
</IfModule>
# END W3TC Page Cache core
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
<FilesMatch "wp-login.php">
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "MySiteUser"
AuthUserFile "/home/my-site/.htpasswds/public_html/wp-admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>
And here is the entire .htaccess from site-1's root directory:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"
<FilesMatch "wp-login.php">
ErrorDocument 401 "Access Denied"
ErrorDocument 403 "Access Denied"
AuthName "Site1User"
AuthUserFile "/home/my-site/.htpasswds/public_html/site1.com/wp-admin/passwd"
AuthType Basic
require valid-user
</FilesMatch>
I have changed the names of the sites in the code above, and I did not include the all of the rules in the .htaccess files, but I have removed the other stuff without fixing the problem, so I'm pretty sure I've given you all that is relevant. I can send you the actual files and real links privately if you want them.
https://stackoverflow.com/questions/21121754
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian