htaccess, wp-admin and TML

Resolved Mithun Sridharan
(@mithungmxnet)

10 years ago
Dear Experts,

I have an issue and hope you could help me with your insights and pointers. I’m building a site where authors could update their profile from the frontend – the functionality delivered by the TML plugin. I have also created a .htaccess file in the wp-admin folder for an extra layer of protection. The .htaccess file has the following content:
```
AuthType Basic
AuthName "Protected Area"
AuthUserFile /Users/devuser/htdocs/hueman/.htpasswda3
AuthGroupFile /dev/null
Require user site_administrator
Order Deny,Allow
Allow from site.localhost
```
The .htaccess prompts with a username/password popup whenever an attempt is made to access wp-admin directly. So far, so good.

The issue, however, is as follows.

Whenever an author attempts to update his/her profile, the popup appears over and over again. The site authors don’t have access to admin credentials and I’m seeking a way to do away with the popup window.

I also tried to encapsulate the above .htaccess directives using the conditional statement:
```
<If "!(%{HTTP_REFERER} -strmatch 'http://site.localhost/*')">
AuthType Basic
AuthName "Protected Area"
AuthUserFile /Users/devuser/htdocs/hueman/.htpasswda3
AuthGroupFile /dev/null
Require user site_administrator
Order Deny,Allow
Allow from site.localhost
</If>
```
The above logic was that once the user has logged in, any access to wp-admin will match the strmatch condition, so the prompt should not appear. However, this isn’t happening and the irritating popup keeps appearing.

I looked at wp-admin access from TML plugin and it appears that the plugin requires users.php, profile.php and misc.php, which are all located in the wp-admin directory.

I have tried several permutations with the various htaccess directives, such FilesMatch, DirectoryMatch, Files, etc., but the issue persists.

I have temporarily removed the .htaccess protection for wp-admin, but would like to keep it for security reasons. However, I’m also open to other suggestions.

The site I’m running already has over 20 essential plugins for functionality, so I’m trying to keep away from installing additional plugins. Besides, htaccess seems to offer some network level security, which is interesting for the objective.

I’d really appreciate any pointers that help me resolve this issue.

Thanks in advance!

Best Regards,
Mithun

https://wordpress.org/plugins/theme-my-login/

Viewing 5 replies - 1 through 5 (of 5 total)

Thomas O.
(@thomas-o)

10 years ago
Below this:
```
AuthType Basic
AuthName "Protected Area"
AuthUserFile /Users/devuser/htdocs/hueman/.htpasswda3
AuthGroupFile /dev/null
Require user site_administrator
Order Deny,Allow
Allow from site.localhost
```
Add:
```
<FilesMatch "^(admin-ajax|misc|profile|users)\.php$">
    Order allow,deny
    Allow from all
    Satisfy any
</FilesMatch>
```
Thread Starter Mithun Sridharan
(@mithungmxnet)

10 years ago

Hi Thomas,

Thanks for the pointer. I have tried this approach, but it doesn’t work as expected. I still see the password prompt when I try logging in as a normal user. I also tried DirectoryMatch and finally to URL matching as I shared in the code above. I have a strong suspicion that this could be due to a wrong rewrite condition. Could your share your intuition, please?

Thanks for your pointer, once again. Much appreciated!

Best Regards,
Mithun
Thomas O.
(@thomas-o)

10 years ago
What version of Apache are you using? And who is your host? Some host have strange settings and you really can’t use HTTP Authentication correctly with them.

Try this instead for the entire file:
```
AuthType Basic
AuthName "Protected Area"
AuthUserFile /Users/devuser/htdocs/hueman/.htpasswda3
AuthGroupFile /dev/null
<LIMIT GET POST>
Require user site_administrator
Order Deny,Allow
Allow from site.localhost
Satisfy any
</LIMIT>

<FilesMatch "^(admin-ajax|misc|profile|users)\.php$">
    Order allow,deny
    Allow from all
    Satisfy any
</FilesMatch>

<LimitExcept GET POST>
Deny from all
</LimitExcept>
```
The easiest way to see how your host has your server set up, is to use something that they may have already set up to do HTTP Authentication. If you’re using cPanel then it may have an option to do that there. Use it to see what it does and see if it matches what you started with.
Thread Starter Mithun Sridharan
(@mithungmxnet)

10 years ago
Applause!!! Thomas, that really did the trick. I was testing the snippet all morning and this seems to be the way to go! Thanks a ton for the tip. It worked!

I’m sharing the final code for others to use:
```
Options All -Indexes
ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 301 default
AuthType Basic
AuthName "Protected Area"
AuthUserFile /Users/devuser/htdocs/hueman/.htpasswda3
AuthGroupFile /dev/null
<LIMIT GET POST PUT>
	Require user site_administrator
	Order Allow,Deny
    Allow from all
	Satisfy any
</LIMIT>

<FilesMatch "^(admin-ajax|misc|profile|users)\.php$">
    Order deny,allow
    Allow from all
    Satisfy any
</FilesMatch>

<FilesMatch "\.(jpe?g|png|gif|css|js)$">
    Order deny,allow
    Deny from all
    Allow from site.localhost
    Satisfy all
</FilesMatch>

<LimitExcept GET POST PUT>
	Deny from all
</LimitExcept>
```
To answer your other queries, I’m developing the site on XAMPP (1.8.2) localhost, but my site is on a shared hosting provided by Fatcow. I performed the tests locally and the next step is to transfer the .htaccess to Fatcow and see if it works there. Hopefully, it does! I’m keeping my fingers crossed!

Thanks a ton, Thomas! Much appreciated!

Best Regards,
Mithun
Thread Starter Mithun Sridharan
(@mithungmxnet)

10 years ago

Hi Thomas,

Just tested the functionality on the live site. It works!

Thanks a ton!

Best Regards,
Mithun

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘htaccess, wp-admin and TML’ is closed to new replies.

Tags