Wordpress password protect directory

The Background

Wordpress is a great blog by its features and user friendly admin interface but is also a great CMS. It is extremely SEO with it’s nice URL’s. But speaking of URL’s, wordpress uses some internal rewriting rules with Apache’s aid. Problems appear when you try to password protect a directory via http authentication. It conflicts with the default wordpress’s .htaccess resulting in a 404 error.

The Solution

The solution comes by “telling” apache how to handle our pasword protected directory. But let’s take it step by step. Let’s first password protect the directory via .htaccess (that offers http auth; user/pass are sent as plain text to the server; the password is crypt). To do that we create a .htaccess file in our directory. Let’s say we want to protect the directory called “secure” that lays into the web-server’s root .

AuthUserFile /your/directory/here/
.htpasswdAuthGroupFile /dev/null
AuthName "Secure Area"
AuthType Basicrequire valid-user

Now we need to create password file that will hold our username:password pairs. To do that could be use scripting or the easiest just type htpasswd -c .htpasswd username wich will prompt for the password to be used for user ‘username’.

Note: The path to the .htpasswd file should be the right one in your .htacces file

Ok, what we have done until now would work in any usual configuration. Though it wouldn’t work if you have an wordpress installation in your web-server root. Accessing the protected folder will give you 404. To fix that you have to modify the original wordpress .htacces file.

It looks something like this:

# BEGIN WordPress

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

# END WordPress

Add above that this piece of code:

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_URI} ^/secure/(.*)$

RewriteRule ^.*$ - [L]

Now your secured folder will be accessible after entering username and password offcourse . Enjoy

3 Comments for “Wordpress password protect directory”

1. Justin Says:
   June 12th, 2008 at 8:05 am

   This doesn’t work. Could you go into a little more detail?

2. Claudiu Says:
   June 12th, 2008 at 11:58 pm

   Seems like on some configs the error pages are not corectly setup.
   HTTP Basic-Auth first sends 401 Unauthorized to request a password from the browser. The webserver tries to serve the corresponding, specified Errordocument. However when the ErrorDocument directive of your webserver is set wrongly, i.e. points to a non-existent file, it can interact with your wordpress htaccess, those 2 conditions found there failing.
   So what you could do is manually specify the error pages in htaccess like this:

   ErrorDocument 401 /errorpage.html
   ErrorDocument 403 /errorpage.html

   Add those in the begining of the .htaccess and make sure the html page specified above exists in that path.
   That should work

3. \')/* Says:
   June 24th, 2008 at 3:51 pm

   ekibastos…

   ekibastos…

Post a comment

Name (required)

Mail (will not be published) (required)

Website

Anti-spam text: (Required)*
To prove you're a person (not a spam script), type the security text shown in the picture. Click here to regenerate some new text.