Title: .htaccess vs. captcha
Last modified: August 30, 2016

---

# .htaccess vs. captcha

 *  Resolved [mike73](https://wordpress.org/support/users/mike73/)
 * (@mike73)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/htaccess-vs-captcha/)
 * Hallo,
 * … ich habe einen Verzeichnisschutz auf das Verzeichnis “/wp-admin/” gelegt (Thema:
   Brute force, etc.)!
 * Nun stelle ich fest, das cforms2 den “captcha image path” in das Verzeichnis “/
   wp-admin/” legt! ;(
 * `<img id="cf_captcha_img2" class="captcha" src="http://www.meinedomain.de/wp-
   admin/admin-ajax.php?action=cforms2_reset_captcha&_wpnonce=b101bc37b8&ts=2&rnd
   =692038" alt="">`
 * Jetzt erscheint natuerlich immer die Login-Abfrage der .htacces bzw. htpasswd/
   jede Seite mit einem cform2 Formular (inkl. Captcha) – fuer den User gesperrt!
 * 1. Wird wirklich die Datei “admin-ajax.php” aus dem Verzeichnis “/wp-admin/” 
   benoetigt?!?
 * 2. Gibt es einen Ansatz fuer eine Loesung?
 * Denn der Verzeichnisschutz per “.htacces bzw. htpasswd” ist der effektivste Schutz
   vor die ganzen (nicht nur Brute force)Attacken!
 * Oder doch nicht?!?
 * Vielen Dank fuer die schnelle Hilfe!
 * ——-EN—————
 * … I have set a directory protection to the directory “/ wp-admin /” (theme: brute
   force, etc.)!
 * Now I realize, cforms2 puts the “captcha image path” in the directory “/ wp-admin/”!;(
 * `<img id =" cf_captcha_img2 "class =" captcha "src="http://www.meinedomain.de/
   wp-admin/admin-ajax.php?action=cforms2_reset_captcha&_wpnonce=b101bc37b8&ts=2&
   rnd=692038" alt = "">`
 * Now appears of course, always the login query the .htaccess or .htpasswd / each
   side with a cform2 form (incl Captcha.) – blocked for the user!
 * 1. Is the file really “admin ajax.php” from the directory “/ wp-admin /” necessary?!?
 * 2. Is there an approach to a solution?
 * Because the directory protection via “.htaccess or .htpasswd” is the most effective
   protection against the whole (not just brute force) attacks! Or not?!?
 * Thanks for the quick help!
 * [https://wordpress.org/plugins/cforms2/](https://wordpress.org/plugins/cforms2/)

Viewing 6 replies - 1 through 6 (of 6 total)

 *  Thread Starter [mike73](https://wordpress.org/support/users/mike73/)
 * (@mike73)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/htaccess-vs-captcha/#post-6871153)
 * Hallo,
 * … ok – ich habe die htacces folgend angepasst.
 * Der Zugriffsschutz ist jetzt allein auf die `/wp-admin/wp-login.php` gesetzt!
   Jetzt funktioniert Captcha wieder und die Brute Force Attacken sind auch vorbei!
 * Anleitungen fuer die Einrichtung der “.htacces bzw. .htpasswd” (der jeweiligen
   Provider) gibt es ja genug 😉
 * Allerdings bleibt die Frage:
    1. Wird wirklich der Zugriff auf die Datei “admin-
   ajax.php” aus dem Verzeichnis “/wp-admin/” benoetigt?!?
 * Danke!
 * ——-EN—————
 * … Ok – I have adapted the .htaccess followed
 * The access protection is now set solely on the `/wp-admin/ wp-login.php`! Now
   Captcha working again and the brute force attacks are also over!
 * Instructions for setting up the “.htaccess and .htpasswd” (the respective providers)
   there are enough 😉
 * However, the question remains:
    1. Is the access to the file “admin ajax.php”
   from the directory “/wp-admin/” really needed?!?
 * Thanks!
 *  Thread Starter [mike73](https://wordpress.org/support/users/mike73/)
 * (@mike73)
 * [9 years, 1 month ago](https://wordpress.org/support/topic/htaccess-vs-captcha/#post-8986422)
 * Hallo,
 * … is there already a solution for this?
 * Because I think now, it’s much more better/saver to protect the complete directory(/
   wp-admin) with .htaccess!
 * But, than dont work the “Really Simple CAPTCHA”!
    Because now appears of course,
   always the login query the .htaccess each side with a cform2 form (incl. Captcha)–
   blocked for the user! For the reason, please see my first post.
 * Here my question again:
    Is the access to the file “admin-ajax.php” (in /wp-admin)
   really necessary for running the plugin “Really Simple CAPTCHA”?!?
 * Thanks for the quick answer/help!
 *  Plugin Author [bgermann](https://wordpress.org/support/users/bgermann/)
 * (@bgermann)
 * [9 years, 1 month ago](https://wordpress.org/support/topic/htaccess-vs-captcha/#post-8986470)
 * Now that WordPress has a REST API built-in, it would be possible to port the 
   plugin to that API. But until someone does that, you will still need access to/
   wp-admin/admin-ajax.php. You can have that file as an exception from a general
   htaccess blocking rule.
    -  This reply was modified 9 years, 1 month ago by [bgermann](https://wordpress.org/support/users/bgermann/).
 *  Thread Starter [mike73](https://wordpress.org/support/users/mike73/)
 * (@mike73)
 * [9 years, 1 month ago](https://wordpress.org/support/topic/htaccess-vs-captcha/#post-8986498)
 * Wow, Danke fuer Deine schnelle Antwort!
 * … you mean: “But until nobody does not that,…” – right?!?
 * Yes – I know – I almost thought that! ;(
 * I’ll tryed with the excluding rule in .htaccess.
 * Ohje – how work it again? 😉
 * Cheers…
    -  This reply was modified 9 years, 1 month ago by [mike73](https://wordpress.org/support/users/mike73/).
    -  This reply was modified 9 years, 1 month ago by [mike73](https://wordpress.org/support/users/mike73/).
    -  This reply was modified 9 years, 1 month ago by [mike73](https://wordpress.org/support/users/mike73/).
 *  Plugin Author [bgermann](https://wordpress.org/support/users/bgermann/)
 * (@bgermann)
 * [9 years, 1 month ago](https://wordpress.org/support/topic/htaccess-vs-captcha/#post-8986506)
 * Right, logic is hard sometimes :-).
 *  Thread Starter [mike73](https://wordpress.org/support/users/mike73/)
 * (@mike73)
 * [9 years, 1 month ago](https://wordpress.org/support/topic/htaccess-vs-captcha/#post-8986591)
 * Really, has anybody a idea how I create a file exception from the general htaccess
   blocking rule? In this case, the file “admin-ajax.php”
 * Thanks…

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘.htaccess vs. captcha’ is closed to new replies.

 * ![](https://ps.w.org/cforms2/assets/icon-128x128.png?rev=1010031)
 * [cformsII](https://wordpress.org/plugins/cforms2/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/cforms2/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/cforms2/)
 * [Active Topics](https://wordpress.org/support/plugin/cforms2/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/cforms2/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/cforms2/reviews/)

## Tags

 * [brute force](https://wordpress.org/support/topic-tag/brute-force/)
 * [htaccess](https://wordpress.org/support/topic-tag/htaccess/)
 * [wp-admin](https://wordpress.org/support/topic-tag/wp-admin/)

 * 6 replies
 * 2 participants
 * Last reply from: [mike73](https://wordpress.org/support/users/mike73/)
 * Last activity: [9 years, 1 month ago](https://wordpress.org/support/topic/htaccess-vs-captcha/#post-8986591)
 * Status: resolved