Support » Plugin: WooCommerce » customer logout while havin wp-login protected

  • Resolved mmtomm

    (@mmtomm)


    I’m protecting the wp-login.php and wp-admin.php with basic authentication setup in .htaccess

    When woocommerce shop customers go to the my account page and click on the logout button (in german “Abmelden” as shown in the screenshot) they would have to enter the htpassword which of course is not available to them.
    https://imgur.com/5TgK3fn
    The logout only works when I deactivate the protection of wp-login.php.
    Is there a way to have wp-login.php protected AND a customer can logout?

    Thank you
    Tom

Viewing 6 replies - 1 through 6 (of 6 total)
  • Yes, it is possible. You have to allow the query string “action=logout”

    For Cloudflare
    (http.request.uri.path contains “/wp-login.php” and not http.request.uri.query contains “action=logout”)

    For Apache
    <IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_URI} ^/wp-login.php$
    RewriteCond %{QUERY_STRING} ^action=logout
    RewriteRule ^(.*)$ – [L]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{HTTP_USER_AGENT} ^(|-?)$ [NC,OR]
    RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
    RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
    RewriteRule ^(.*)$ – [F,L]
    </IfModule>`

    Thread Starter mmtomm

    (@mmtomm)

    Thank you for the snippet (apache)

    I don’t get the basic auth screen anymore, which is good, but now I get a 404 at
    mydomain.com/wp-login.php?action=logout&redirect_to….
    still not logged out

    I tried both, having the protection of wp-login.php before and after your script, in both cases I get the 404

    If you still have auth on it will fail. You need to disable auth and use the code and other steps when you run WooCommerce.

    Thread Starter mmtomm

    (@mmtomm)

    disabled auth, the 404 still appears. Not sure what the “other steps” mentioned would be…

    If you have a 404, you should start by clearing cache and then test (and check logs).

    Options can include, but not limited to..

    2FA on admin accounts
    limit login attempts
    wp-login limited to your ip

    You are now asking for security, and that depends on your needs, host, server type, budget, etc. You can use plugins, good hosting, htaccess rules, nginx rules, cloudflare, etc

    Plugin Support 3 Sons Development – a11n

    (@3sonsdevelopment)

    Hi @mmtomm,

    Since we haven’t heard from you in a while, we’re hoping that means you were able to get this resolved. I’m going to close this thread out now.

    If you’re still having trouble, please open up a new topic and we’ll be happy to help out.

    Cheers

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.