Support » Fixing WordPress » htaccess for WP subdirectories

  • Is there an “official” method to protect WP virtual content subdirectories such as posts or pages?

    For example, when I first install WP there is a default blog created with 1 post and 1 page; and URLs that look like this:

    What I want to do is to add htaccess files for authentication/authorization to the /sample-page, /blog, and possibly /blog/2012 (or lower). I realize that there are plugins that can protect these content directories. For our enterprise we need htaccess to enforce our (enterprise) authN/authZ. For example, we may need to only allow certain groups access to content; groups which may be hundreds of users who we do not want to provision in WP.

    I have found out a way to do this, but it really is a hack which means that it may not fully work or may break in future upgrades. I can detail those customizations if necessary. Just came here to see if there is an easier, non-hack method of doing this.

Viewing 4 replies - 1 through 4 (of 4 total)
  • WordPress has a built it “Password required” function.
    Go to your posts on your dashboard and click Quick edit, there you
    can enter a password for your post. Works for pages, too.

    BeautyPirate –
    Thanks for the suggestion. We do similar things for content that is not sensitive but should be secured from the public. However for sensitive information that method is not secure enough for an enterprise. In addition it can be a nightmare managing those passwords when you have thousands of users and many sites.

    We have an established web single sign on here, Shibboleth for that matter. It is a requirement to use Shibboleth for authentication, hence our requirement to need htaccess files to access certain WP (virtual) content.

    There is one little problem. WordPress does not create subdirectories for your pages and posts, it´s a database based system, meaning the permalinks ACTUALLY don´t really exist as pages like on a regular website. Hence, no folder to put your .htaccess file in for individual pages.

    My hack to protect a WP page (does not map to a real directory). Note that this is a hack and even if it works with 3.3.1 my concern is that it might break after future upgrades to WP.

    This example will add a htaccess file to protect

    1) Create a directory on filesystem (I like to use the hostname and uri):
    <any path>/host/sample-page
    2) Update httpd.conf, so if httpd sees, use <any path>/host/sample-page as the DocumentRoot

    <IfModule mod_rewrite.c>
            RewriteEngine on
            RewriteCond %{HTTP_HOST} ^host\.usc\.edu$ [NC]
            RewriteRule ^(.*) <any path>/host/sample-page/$1 [L]

    3) copy the htaccess file from the WP installation directory to <any path>/host/sample-page and modify the directory paths. And add authentication directives on top:

    AuthName "Restricted Area"
    AuthType Basic
    AuthUserFile <any path>/host/sample-page/.htpasswd
    require valid-user
    # BEGIN WordPress - multi-domain setting
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    # uploaded files
    RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule . <wp install dir>/index.php [L]
    # END WordPress

    4) My htpasswd file:

    # password

    5) Now if you hit, you will be prompted by the browser for Basic Authentication. Enter user/password to access url.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘htaccess for WP subdirectories’ is closed to new replies.