Support » Fixing WordPress » .htaccess and subdirectories

  • Resolved jeffclark


    Seems like there are a couple of questions like this posted, but never any responses. Maybe you know something?

    Shortly: A user-created-outside-of-WP folder is throwing a 404 when trying to access it. Now for some details:

    Blog ‘SS’ ( normal WP blog. Permalinks “/story/%id%/” through mod_rewrite in the default .htaccess file WP created.

    Blog ‘Q’ ( normal WP blog. No fancy permalinks. Located at directory “/here/”.

    The problem is that I need “/here/” to be password protected through a .htpasswd file.

    But the .htaccess file for Blog “SS” presumably sees “/here/” and tries to rewrite, forcing a 404 on blog “SS”.

    When I remove the .htaccess file from the root (“/”), the .htpasswd file for Blog “Q” works perfectly, but permalinks on “SS” quit.

    Any thoughts? Is there a way for mod_rewrite to exclude a directory from it’s rules?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Short answer is, I believe, Yes.

    Seems that either kaf or otto42 have posted that here in the past. Hopefully some searching will turn it up.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    This is a common problem that I’ve experienced myself, and I think I may be getting a handle on it now. It’s a damned odd combination of circumstances, I think. It *only* occurs when you try to use .htaccess to password protect a subdirectory.

    Try this:
    Create a file on your website. Call it onerror.html. It can have just <html></html> in it for all that it matters.
    In WordPress’s .htaccess file, add this to the top of the file:

    ErrorDocument 401 /path/to/onerror.html

    See if that makes any difference. If it doesn’t, add another line with 403 instead of 401.

    I would test this myself, but I’m not at my server.

    Thread Starter jeffclark


    Otto, thank you. That seemed to work. If you get any time at all (who does?) can you explain why it works? If not, thank you anyways.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    I’m not 100% certain on it since I haven’t tested it fully yet, but…

    .htaccess files are additive. Whenever you request a page, the webserver basically goes through every directory down the tree from the root (specified by the closest match of <Directory …> in the httpd.conf file), and adds all the .htaccess files together. As it traverses them, it parses each one. Later .htaccess files override previous ones, but only for the same specified items. RewriteRules are cumulative.

    So what I think is going on is that the authorization in the password protected directory is forcing a 401 response (“Authorization Required”) back to the client. Normally, the client would get the 401 and ask for a password.

    However, in this case, this 401 response is intercepted by the WordPress RewriteRules which says to rewrite everything to WordPress. This is because .htaccess’s are cumulative and your closest matching Directory is the root.

    So, by forcing an ErrorDocument for the 401 response before the WordPress rules, you pre-empt them (since the file actually exists, the RewriteRules won’t take effect upon it), causing your 401 document to be sent instead of rewriting to WordPress. However, the client doesn’t give a crap about that document, it sees the 401 and asks for a password.

    Notice that if you fail to give a password three times (depending on the client), you’ll probably get forwarded back to WordPress. This may or may not be what you want. If you add the 403 line, you’ll get either your error document or a 403 Forbidden page back, not certain which.

    Other possible solutions:
    – Add a new Directory statement to httpd.conf, specifically specifying your password protected directory, thus bypassing the wordpress rewrites from the htaccess search path.
    – Add another rewrite to the top of the wordpress rewrites that pre-empts them for that directory only.

    But forcing a 401/403 document seems like the best solution to me, since it will work with any password protected subdirectories you care to add, without having to specify them.

    Did that make any sense? 😉

    Thread Starter jeffclark


    Yes, perfectly. Thank you again!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘.htaccess and subdirectories’ is closed to new replies.