Bug: Cannot switch months when HTTP BasicAuth is enabled for the Dashboard area

  • Resolved Aileron

    (@aileron)


    8 years, 1 month ago

    Hi folks!
    I am facing the very same issue as described in this thread:
    https://theeventscalendar.com/support/forums/topic/authentication-requested/

    And, in fact, I am prohibiting access to admin-ajax.php. For enhanced security, I have added HTTP BasicAuth for the wp-admin subdirectory. This actually is standard procedure for everyone who wants to tighten a WordPress server’s security. (There are thousands of articles recommending this procedure, so it’s nothing I have invented, see https://www.google.at/search?q=wordpress+basicauth+wp-admin&oq=wordpress+basicauth+wp-admin&aqs=chrome..69i57.9694j0j7&sourceid=chrome&ie=UTF-8).

    Thus, I kindly ask you to modify the event calendar plugin in such a way that it does not directly (vial http) access resources in the wp-admin directory as this generally weakens the security level of a WordPress installation. All files in this directory should only be accessable when logged in to the Dashboard. Allowing public access to files within this directory is very bad & dirty practice.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor Andras Guseo

    (@aguseo)

    Hey @aileron,

    Thanks for using The Events Calendar and for reaching out to us with your suggestion.

    If I know correctly then direct access to the folders and files within wp-admin and wp-includes are denied by default. WordPress wouldn’t leave this to chance for sure. ?? And access to these folders is not handled by our plugins but by WordPress itself.

    Although at this moment I cannot make any promises that this will surely happen, but I will definitely bring this to the attention of our developers and see what they can do about it.

    Cheers,
    Andras

    • This reply was modified 8 years, 1 month ago by Andras Guseo.
    Thread Starter Aileron

    (@aileron)

    Thanks, that would be awesome! Just to be precise here, I am aware that your plugin does not handle the access to these folders – however, your plugin somehow directly accesses (via HTTP) the file admin-ajax.php which is located in wp-admin. Once this directory is protected by Apache’s .htaccess file, any HTTP request to this file fails – and that is the problem, there should not be any HTTP requests to files in wp-admin unless the user is logged in to the dashboard, that’s basically how WP is meant to be used.

    Thanks & best regards,
    Christoph

    Plugin Contributor Andras Guseo

    (@aguseo)

    Thanks for the extra clarification! Will forward this as well.

    Cheers,
    Andras

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Bug: Cannot switch months when HTTP BasicAuth is enabled for the Dashboard area’ is closed to new replies.