Title: Exclude subdirectory Last modified: August 30, 2016 --- # Exclude subdirectory * Resolved [JonLPD](https://wordpress.org/support/users/jonlpd/) * (@jonlpd) * [10 years, 10 months ago](https://wordpress.org/support/topic/exclude-subdirectory/) * I recently tried to install a new instance of wordpress into a sub directory. However iThemes does not let me execute the install as part of its security settings. Is there a line of code I can add the .htaccess so that iThemes excludes that specific directory. I have tried and failed and would really appreciate some support. * Thanks for the great plugin! * [https://wordpress.org/plugins/better-wp-security/](https://wordpress.org/plugins/better-wp-security/) Viewing 6 replies - 1 through 6 (of 6 total) * [dwinden](https://wordpress.org/support/users/dwinden/) * (@dwinden) * [10 years, 10 months ago](https://wordpress.org/support/topic/exclude-subdirectory/#post-6308444) * Are you getting the “Too many redirects” error after the database setup part ? * And have you been able to identify the RewriteRule in the .htaccess that is causing this ? * Otherwise please post the entries between: * # BEGIN iThemes Security – Do not modify or remove this line * # END iThemes Security – Do not modify or remove this line * from your .htaccess file and we’ll have a look at it. * dwinden * [Gerroald](https://wordpress.org/support/users/gerroald/) * (@gerroald) * [10 years, 10 months ago](https://wordpress.org/support/topic/exclude-subdirectory/#post-6308482) * Hi All, * I’ve seen this a few times today and we’re tracking it down. Do you have the Protect System Files feature found in System Tweaks? If so, can you disable it and let me know if that helps? * Thanks, * Gerroald * [dwinden](https://wordpress.org/support/users/dwinden/) * (@dwinden) * [10 years, 10 months ago](https://wordpress.org/support/topic/exclude-subdirectory/#post-6308522) * If you are getting the following error message: * > Forbidden > You don’t have permission to access /wordpress_temp/wp-admin/install.php on > this server. * then temporarily disable the Protect System Files setting in the System Tweaks section on the iTSec plugin Settings page as indicated by Gerroald. * dwinden * Thread Starter [JonLPD](https://wordpress.org/support/users/jonlpd/) * (@jonlpd) * [10 years, 10 months ago](https://wordpress.org/support/topic/exclude-subdirectory/#post-6308525) * Hey, The 403 error im getting is: You don’t have permission to access /advocacyforyoungpeople/ wp-admin/install.php on this server. * I dont think there is a problem with the plugin. I just need to it ignore the subdirectory /advocacyforyoungpeople * Here is the iThemes code I’m using in the htaccess: * # BEGIN iThemes Security – Do not modify or remove this line # iThemes Security Config Details: 2 # Ban Hosts – Security > Settings > Banned Users SetEnvIF REMOTE_ADDR“ ^81\.45\.182\.213$” DenyAccess SetEnvIF X-FORWARDED-FOR “^81\.45\.182\.213$” DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP “^81\.45\.182\.213$” DenyAccess * SetEnvIF REMOTE_ADDR “^42\.63\.209\.13$” DenyAccess SetEnvIF X-FORWARDED-FOR“ ^42\.63\.209\.13$” DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP “^42\.63\.209\.13$” DenyAccess * Require all granted Require not env DenyAccess Require not ip 81.45.182.213 Require not ip 42.63.209.13 Order allow,deny Allow from all Deny from env=DenyAccess Deny from 81.45.182.213 Deny from 42.63.209.13 * # Enable the hide backend feature – Security > Settings > Hide Login Area > Hide Backend RewriteRule ^(/)?login/?$ /wp-login.php [QSA,L] * # Protect System Files – Security > Settings > System Tweaks > System Files Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all Require all denied Order allow,deny Deny from all * # Disable XML-RPC – Security > Settings > WordPress Tweaks > XML-RPC Require all denied Order allow,deny Deny from all * # Disable Directory Browsing – Security > Settings > System Tweaks > Directory Browsing Options -Indexes * RewriteEngine On * # Protect System Files – Security > Settings > System Tweaks > System Files RewriteRule ^wp-admin/includes/ – [F] RewriteRule !^wp-includes/ – [S=3] RewriteCond%{ SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php RewriteRule ^wp-includes/[^/] +\.php$ – [F] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F] RewriteRule ^wp-includes/theme-compat/ – [F] * # Disable PHP in Uploads – Security > Settings > System Tweaks > Uploads RewriteRule ^wp\-content/uploads/.*\.(?:php[1-6]?|pht|phtml?)$ – [NC,F] * # Filter Request Methods – Security > Settings > System Tweaks > Request Methods RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC] RewriteRule ^.* – [F] * # Filter Suspicious Query Strings in the URL – Security > Settings > System Tweaks > Suspicious Query Strings RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond%{ QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [ NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING}(\ <|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA- Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC, OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost |loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union |declare).* [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond %{QUERY_STRING}! ^action=jetpack-sso RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE}! ^.*wordpress_logged_in_.*$ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\. com(.*)$ RewriteRule ^.* – [F] * # Filter Non-English Characters – Security > Settings > System Tweaks > Non- English Characters RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [ NC] RewriteRule ^.* – [F] * # Reduce Comment Spam – Security > Settings > System Tweaks > Comment Spam RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} /wp-comments-post\. php$ RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{HTTP_REFERER} !^https?://(([ ^/]+\.)?advocacymatters\.co\.uk|jetpack\.wordpress\.com/jetpack-comment)(/|$)[ NC] RewriteRule ^.* – [F] # END iThemes Security – Do not modify or remove this line * Thread Starter [JonLPD](https://wordpress.org/support/users/jonlpd/) * (@jonlpd) * [10 years, 10 months ago](https://wordpress.org/support/topic/exclude-subdirectory/#post-6308528) * > then temporarily disable the Protect System Files setting in the System Tweaks > section on the iTSec plugin Settings page as indicated by Gerroald. * That worked and let me install. I’ll make sure it all works properly once i’ve turned this back on and let you know. * Thanks! * [dwinden](https://wordpress.org/support/users/dwinden/) * (@dwinden) * [10 years, 10 months ago](https://wordpress.org/support/topic/exclude-subdirectory/#post-6308542) * Unfortunately what you initially requested (make an exception for the new subdirectory in .htaccess) is not possible. You cannot specify a directory using the directive. * But this would have probably worked: * > > **# Apache > 2.2** Require** > ip [ip_address]** **# Apache = 2.2** c> Order **deny,allow** Deny from all **Allow from [ip_address]** > * Anything in bold is customized. Where [ip_address] should be substituted with your computer ip address. Basically makes an exception for your ip address only. * Anyway it is not recommended to manually edit iTSec plugin rules in .htaccess Any changes will be overwritten by the iTSec plugin when saving settings. So if you temporarily want something done ok, but set the iTSec plugin rules back to default once you are done. * The preferred method is to temporarily disable the Protect System Files setting in the System Tweaks section on the iTSec plugin Settings page. * dwinden Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘Exclude subdirectory’ is closed to new replies. * ![](https://ps.w.org/better-wp-security/assets/icon.svg?rev=3529351) * [Kadence Security – Password, Two Factor Authentication, and Brute Force Protection](https://wordpress.org/plugins/better-wp-security/) * [Frequently Asked Questions](https://wordpress.org/plugins/better-wp-security/#faq) * [Support Threads](https://wordpress.org/support/plugin/better-wp-security/) * [Active Topics](https://wordpress.org/support/plugin/better-wp-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/better-wp-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/better-wp-security/reviews/) ## Tags * [htaccess](https://wordpress.org/support/topic-tag/htaccess/) * [subdirectory](https://wordpress.org/support/topic-tag/subdirectory/) * 6 replies * 3 participants * Last reply from: [dwinden](https://wordpress.org/support/users/dwinden/) * Last activity: [10 years, 10 months ago](https://wordpress.org/support/topic/exclude-subdirectory/#post-6308542) * Status: resolved