Title: IP blocking disables basic authentication
Last modified: August 30, 2016
---
# IP blocking disables basic authentication
* Resolved [m-tias](https://wordpress.org/support/users/m-tias/)
* (@m-tias)
* [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/)
* Hello!
* I’m trying to protect an URL with basic authentication, but it’s not working
at all when IP-blocks like these is in the htaccess:
* ```
# Quick ban IP. Will be updated on next formal rules save.
SetEnvIF REMOTE_ADDR "^###\.###\.###\.###$" DenyAccess
SetEnvIF X-FORWARDED-FOR "^###\.###\.###\.###$" DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP "^###\.###\.###\.###$" DenyAccess
Require all granted
Require not env DenyAccess
Require not ip ###.###.###.###
Order allow,deny
Deny from env=DenyAccess
Deny from ###.###.###.###
Allow from all
# END iThemes Security - Do not modify or remove this line
```
* Without them the script below works:
* ```
SetEnvIfNoCase Request_URI "^/protected/url" SECURED
AuthType Basic
AuthName "Login"
AuthUserFile /path/to/.htpasswd
Require valid-user
Order allow,deny
Allow from env=!SECURED
Satisfy any
```
* Any idea on how to get the basic authentication to work along with the IP bans?
* [https://wordpress.org/plugins/better-wp-security/](https://wordpress.org/plugins/better-wp-security/)
Viewing 11 replies - 1 through 11 (of 11 total)
* [dwinden](https://wordpress.org/support/users/dwinden/)
* (@dwinden)
* [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/#post-6893832)
* [@m-tias](https://wordpress.org/support/users/m-tias/)
* What Apache version are you using ?
* dwinden
* Thread Starter [m-tias](https://wordpress.org/support/users/m-tias/)
* (@m-tias)
* [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/#post-6893838)
* It says Apache/2. So I guess 2.0?
* m-tias
* [dwinden](https://wordpress.org/support/users/dwinden/)
* (@dwinden)
* [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/#post-6893863)
* [@m-tias](https://wordpress.org/support/users/m-tias/)
* It’s the second digit in the Apache version that is relevant …
So contact your
hosting provider and find out. It’s probably 2.2.x or 2.4.x Really need to know
this before we can proceed.
* _(The reason why you are only seeing Apache/2 is because your hosting provider
configured the webserver in such a way that not all Apache version info is made
public … It’s common security practice to not make this type of info public to
visitors of a site)._
* Oh one other thing. I think this is more of an Apache Webserver issue than an
iTSec plugin issue …
But an interesting one … hope to learn something new 😉
* The banned ip address is not yours is it ?
* dwinden
* Thread Starter [m-tias](https://wordpress.org/support/users/m-tias/)
* (@m-tias)
* [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/#post-6893893)
* Ok, so I asked my host about the Apache version and found out it’s 2.4.17.
And
no, the banned ip isn’t mine. 🙂
* Thanks for helping out!
m-tias
* [dwinden](https://wordpress.org/support/users/dwinden/)
* (@dwinden)
* [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/#post-6893898)
* [@m-tias](https://wordpress.org/support/users/m-tias/),
* Ok, great.
* Since we now know you are using Apache 2.4.x we can start removing the correct
redundant lines.
So manually remove the following (Apache 2.2.x specific) lines
from the .htaccess:
* >
> Order allow,deny Deny from env=DenyAccess Deny
> from ###.###.###.### Allow from all
* Now test the basic authentication.
* Still not working ?
Remove the following lines as well:
* > SetEnvIF REMOTE_ADDR “^###\.###\.###\.###$” DenyAccess
> SetEnvIF X-FORWARDED-
> FOR “^###\.###\.###\.###$” DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP “^###\.###\.###\.###
> $” DenyAccess
> Require not env DenyAccess
* After removing the above lines you end up with testing only these (iTSec plugin)
lines:
* > # Quick ban IP. Will be updated on next formal rules save.
> c> Require all granted Require not ip ###.###.###.### > # END iThemes Security – Do not modify or remove this line
* Hopefully using this methodology will help in pinpointing what exactly in the
IP-block lines is causing problems with basic authentication.
There are another
2 variations but lets try the above first.
* dwinden
* Thread Starter [m-tias](https://wordpress.org/support/users/m-tias/)
* (@m-tias)
* [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/#post-6893929)
* Removing the two first blocks you suggested doesn’t make any difference. But
if I only remove the last block, the basic authentication works as expected.
So, to be clear, it’s this block that’s causing the problem:
* ```
# Quick ban IP. Will be updated on next formal rules save.
Require all granted
Require not ip ###.###.###.###
# END iThemes Security - Do not modify or remove this line
```
* m-tias
* [dwinden](https://wordpress.org/support/users/dwinden/)
* (@dwinden)
* [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/#post-6893931)
* [@m-tias](https://wordpress.org/support/users/m-tias/)
* Happy new year !
Ok, that makes sense. It might be this single line which is
causing trouble:
* > Require all granted
* Put the entire IP-block back in and then only remove the following line:
* > Require all granted
* Now test the basic authentication.
* dwinden
* [dwinden](https://wordpress.org/support/users/dwinden/)
* (@dwinden)
* [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/#post-6893932)
* In addition you could try and change your basic authentication block so it makes
use of the new Apache 2.4.x access control directives:
* > AuthType Basic
> AuthName “Login” AuthUserFile /path/to/.htpasswd
> SetEnvIfNoCase Request_URI “^/protected/url” SECURED
>
> Require not env SECURED Require valid-user
* It’s easier to change your basic authentication block than getting the iTSec
plugin to change its IP-block lines.
Untested so not sure whether this will
make any difference.
* dwinden
* Thread Starter [m-tias](https://wordpress.org/support/users/m-tias/)
* (@m-tias)
* [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/#post-6893933)
* Happy new year to you too!
* Removing the line “Require all granted” makes all the difference.
Sadly, using
the suggested access control directives doesn’t solve the problem. Any other
possible way to get around this?
* m-tias
* [dwinden](https://wordpress.org/support/users/dwinden/)
* (@dwinden)
* [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/#post-6893949)
* [@m-tias](https://wordpress.org/support/users/m-tias/)
* (I’ve updated this post after submitting it … Still tweaking so I may update
it again.)
* Ok, try and replace your basic authentication lines with the lines below. Tested
so it should work this time:
* > AuthType Basic
> AuthName “Login” AuthUserFile /path/to/.htpasswd
> SetEnvIfNoCase REQUEST_URI “^/protected/url” **DenyAccess**
>
> Require valid-user Require expr %{REQUEST_URI} = “/protected/
> url/”
* However there is a complication.
The complication is that /protected/url/ requests
from blocked IPs will also trigger the basic authentication login screen. Have
not been able to find a workaround for this without adding an extra line to the
IP-Block lines generated by the iTSec plugin.
* dwinden
* Thread Starter [m-tias](https://wordpress.org/support/users/m-tias/)
* (@m-tias)
* [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/#post-6893961)
* Wonderful, dwinden!
* I can’t see any big problem with blocked IPs facing with the authentication screen.
This pretty much solves my issue, but man, I have a hard time identifying the
logic in the htaccess! I need to learn more about it, let’s hope google serves
me well. 🙂
* Thanks a lot for your time and help!
* m-tias
Viewing 11 replies - 1 through 11 (of 11 total)
The topic ‘IP blocking disables basic authentication’ is closed to new replies.
* 
* [Kadence Security – Password, Two Factor Authentication, and Brute Force Protection](https://wordpress.org/plugins/better-wp-security/)
* [Frequently Asked Questions](https://wordpress.org/plugins/better-wp-security/#faq)
* [Support Threads](https://wordpress.org/support/plugin/better-wp-security/)
* [Active Topics](https://wordpress.org/support/plugin/better-wp-security/active/)
* [Unresolved Topics](https://wordpress.org/support/plugin/better-wp-security/unresolved/)
* [Reviews](https://wordpress.org/support/plugin/better-wp-security/reviews/)
* 11 replies
* 2 participants
* Last reply from: [m-tias](https://wordpress.org/support/users/m-tias/)
* Last activity: [10 years, 4 months ago](https://wordpress.org/support/topic/ip-blocking-disables-basic-authentication/#post-6893961)
* Status: resolved