WordPress.org

Forums

Password-Protect a Directory with .htaccess (13 posts)

  1. Charlie
    Member
    Posted 2 years ago #

    I researched quite a bit and the best WordPress-aware explanation I found is here. I've done all that, but the last step -- stopping WP from throwing a Page Not Found error before the server's password challenge is popped up -- isn't working.

    There's one small difference between the example they give of WP mod_rewrite code and the code I found in my .htaccess file. (It's the first Rewrite rule in the WP section.) Since I don't "speak" mod_rewrite, I'm posting below the new .htaccess file I created and asking you smart folks: Can you see why WP is still throwing Page Not Found before the server's challenge can pop up?

    # This file belongs in the root directory of the Web site (/www).
    
    # The first block of code is required by the .htaccess file that password protects the /www/archive directory.
    # It prevents WordPress from throwing a Page Not Found error before the password challenge can pop up.
    
    # Our installation of WordPress isn't using Pretty Permalinks (mod_rewrite),
    #    so I don't know why WordPress has written the second block of code below.
    #    (We're using Custom Structure: /index.php/%post_id%/%postname%/ )
    #
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_URI} ^/(failed_auth\.html).*$ [NC]
    RewriteRule . - [L]
    </IfModule>
    
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress

    Thanks for your help!

  2. westpointer
    Member
    Posted 2 years ago #

    Searching for the same issue. I have two sites running WP. On one, the password protection works; the other gives the 404 page. blah

  3. David Choi
    Member
    Posted 2 years ago #

    You don't need

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_URI} ^/(failed_auth\.html).*$ [NC]
    RewriteRule . - [L]
    </IfModule>

    At the end of the file, just add

    AuthType Basic
    AuthName "restricted area"
    AuthUserFile /home/yourusername/html/protected-dir/.htpasswd
    require valid-user

    You would need to generate the .htpasswd file using a tool like

    http://www.kxs.net/support/htaccess_pw.html

    and save it as declared above, which is

    /home/yourusername/html/protected-dir/.htpasswd

    Please note that this is not the exact path, if you use cPanel, it should be something similar to

    /home/yourusername/public_html/protected-password/.htpasswd

    where you can create a folder called "protected-password" or save the file else where you want that is above public_html so it can't be accessed publicly by your site visitors.

  4. westpointer
    Member
    Posted 2 years ago #

    @ Self Hosted WP.com - I was using the tool in cPanel to assist with creating the .htaccess entries and password files. But I'd get a redirect with a 404 error. The solution ended up being simple:

    at the top of /.htaccess add

    #next two lines allow password protected directories with 404 errors
    ErrorDocument 401 ./error.html
    ErrorDocument 403 ./error.html
    #

    then create error.html file.

  5. David Choi
    Member
    Posted 2 years ago #

    @westpointer Thanks for sharing. Usually that isn't necessary, maybe it's due to Apache core settings.

    Glad it's solved.

  6. Charlie
    Member
    Posted 2 years ago #

    @ WestPointer -- I'd like to try your solution, but I've got questions.

    1) Those two lines -- I add them at the beginning of the .htaccess file that's in the root of the Web site, right? Not in the .htaccess file that's in the password-protected directory, right?

    2) I don't understand what the error.html file does. Could you give an example of what goes in that file?

    3) Am I correct that the error.html file goes in the root of the Web site?

    Thanks for your help!

  7. David Choi
    Member
    Posted 2 years ago #

    @Charlie:

    1)Correct

    2) It's just a simple HTML file, you can put a simple message or customized beautiful page. The following basic HTML will do:

    <html>
    <head>
    <title>401 Error</title>
    </head>
    
    <body>
    <h1>Sorry, 401 Error...</h1>
    </body>
    </html>

    3) Yes.

  8. Xephan
    Member
    Posted 2 years ago #

    I was trying to solve the same problem with WordPress's rewrite rule interfering with .htpasswd protected folders. The simplest solution is actually to change WordPress's rewrite rule

    From
    RewriteRule . /index.php [L]

    To

    RewriteRule ./ /index.php [L]

    With this, the additional block of rewrite rule doesn't seem to be needed anymore.

  9. David Choi
    Member
    Posted 2 years ago #

    @Xephan Thanks for sharing!

  10. DevelopNovaNumis
    Member
    Posted 2 years ago #

    @Xephan... Thanks indeed!

    There really shouldn't be this level of challenge encountered when sites require non-WP-related password-protected directories to co-exist at the same level.

    Indeed, such accommodation should be defacto OOTB.

  11. amitramani
    Member
    Posted 1 year ago #

    Thanks, @Xephan!
    After trying the several other solutions and failing, I decided to give this a shot.
    And it works beautifully.

    Siteground also recommends this same procedure. Lets hope my htaccess does not get overwritten by some other plugin.

    http://kb.siteground.com/how_to_exclude_a_folder_from_wordpress_permalinks/

  12. companyjuice
    Member
    Posted 1 year ago #

    Thanks @amitramani -- updating the WordPress main .htaccess file as explained simply in the link you provided worked perfect for me!

    http://kb.siteground.com/how_to_exclude_a_folder_from_wordpress_permalinks/

    So my main .htaccess file is this:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    #RewriteRule . /index.php [L] # replaced with next line...
    RewriteRule ./ /index.php [L]
    </IfModule>
    # END WordPress

    And my subfolder that I want to password protect has .htaccess file:

    AuthType Basic
    AuthName "Password Protected Area"
    AuthUserFile /home/juice/.htpasswds/.htpasswd
    Require valid-user

    And no more WordPress 404 error! Woohoo!

    Thanks again,
    Marty McGee

  13. donnybrook33
    Member
    Posted 1 year ago #

    I edited .htaccess to
    RewriteRule ./ /index.php [L]

    It worked fine to get the password protected directory working. My problem now is that the 404 page changes. I get a generic 404 error, rather than the 404 theme page I'm using.

    If I go to a URL that doesn't exist like mydomain.com/test I get this:
    Not Found
    The requested URL /test was not found on this server.
    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    However, if I go to mydomain.com/test/ (with the ending slash) I get the 404 page from my theme, with the template, sidebar, etc.

    Is there something I can to to ensure I always get the 404 page from my theme, and not the generic 404?

    Thanks,
    Don

Topic Closed

This topic has been closed to new replies.

About this Topic