Flaw in WP generated error page?

One of the recommended security measures is to password-protect the wp-admin folder (via .htaccess).

Recommended by who, exactly? The wp-admin is already protected to be accessible to logged in users only. You don’t need any .htaccess protection on it for it to be secure.

Why does WP generate a WP Error page that is shown to the public that requires files from the wp-admin directory? That seems like it would be a security problem.

WordPress has its own internal security and password system. You don’t need another one. And the files in wp-admin do not necessarily all need to be hidden from the users in some way.

Recommended by who, exactly?

Just one of many security tips offered by various sites to protect WordPress. Aren’t there WP plugins that also password protect the wp-admin folder?

I wouldn’t think adding another layer of security to the wp-admin folder is a waste of time. With the popularity of WordPress and it being a target of hackers, how could advocating more security ever be a bad thing?

If for example, someone got the WP admin login and password (by whatever method), they wouldn’t necessarily have the htaccess password and vice versa.

How is this a bad thing?

And the files in wp-admin do not necessarily all need to be hidden from the users in some way.

Wouldn’t calling files from the wp-admin folder for public page loads prevent other security measures/ideas, such as renaming the wp-admin folder to hide it from attackers, like vBulletin allows you to do?

Regardless, if anyone knows how to exclude files from .htpasswd via the .htaccess file, please let me know.

I wouldn’t think adding another layer of security

Security does not come in layers, despite popular misconceptions on this topic. What comes in layers is access control, which is a different thing entirely.

With the popularity of WordPress and it being a target of hackers, how could advocating more security ever be a bad thing?

Advocating fake pretend security is indeed a bad thing, because it prevents you from seeing the difference between that and real security.

If for example, someone got the WP admin login and password (by whatever method), they wouldn’t necessarily have the htaccess password and vice versa.

… So adding 12 levels of password protection is more secure than 11 levels? Because what if they got the first 11 passwords? They still would not have the 12th one!

If somebody gets your password, you’re boned. So, don’t give out your password. Seems like a pretty simple thing to do. WordPress itself does not even know your password, so the only place it exists is in your head. Keep it there.

Wouldn’t calling files from the wp-admin folder for public page loads prevent other security measures/ideas, such as renaming the wp-admin folder to hide it from attackers, like vBulletin allows you to do?

Sigh. If you think that “hiding” things is “more secure” then we really have nothing to discuss. Renaming wp-admin helps you not one bit.

Sigh. If you think that “hiding” things is “more secure” then we really have nothing to discuss.

Otto42, I’m sorry if you are annoyed with my question(s) about “fake pretend security”. Thanks for taking the time to explain these misconceptions about security, wordpress, etc.

If anyone knows how to exclude specific wp-admin files/folders/etc. from htpasswd, please let me know, I’d appreciate it.

Hi jca,

I would have to agree with you here. My blocked was hacked over the spring by a known WordPress vulnerability (and this was before the patch was released). Had I renamed my wp-admin directory or added some sort of extra layer of protection, I’d bet my chances of getting hacked for that vulnerability would have been drastically reduced. Someone probably wasn’t doing any manual hacking — they’re likely to have been running a script that scanned for WordPress installs and attacked known files within the wp-admin directory. Not all hacks are run by scanning scripts, but many are.

As for your problem, I don’t think it’s possible to exclude specific files. However, you can copy that install.css file to somewhere other than the wp-admin directory, then insert a redirect rule at the top of the same .htaccess file that references .htpasswd:

RewriteEngine On
RewriteRule ^css/install\.css https://www.yoursite.com/install.css [L]

I think that the fact that the public error page references the admin folder should be filed as a bug and hopefully fixed in the future.

Excluding a subdirectory from authentication requirements is simpler than excluding specific files.

Just create a .htaccess in the directory in question, then add this to it:

Order Deny,Allow
Allow from all
Satisfy any

The “Satisfy Any” is the key here, that will make that directory (and everything below it) no longer require authentication.

Does the WordPress Codex need to be updated so it isn’t “advocating fake pretend security”?

hi jca,
not sure what bothering our mod up there, but let me assure you that adding extra password protection at wp-admin is ALWAYS a good thing.

I have encountered your problem as well with many plugin that usually related to commenting. While excluding *.css in .htaccess is not directly possible, we can do the other way around: just ask password for specified type such as *.php, *.js. (Other file type inside wp-admin are *.css, *.png and *.gif)

So, my htaccess inside wp-admin looks like below:

ErrorDocument 401 /401.html
<FilesMatch “\.(js|php)$”>
AuthType Basic
AuthUserFile /path/to/.htpasswd
AuthName “Security Login”
Order Deny,Allow
Deny from all
require valid-user
Satisfy any
</FilesMatch>

hope this helps….

If you have mod_access loaded, you can exclude a specific file(s) from authentication.

In the .htacess in wp-admin, add the following before the authorization rules:
# Allow access to install.css & install-rtl.css for wp_die()
SetEnvIf Request_URI “/css/install\.css$” css_only
SetEnvIf Request_URI “/css/install-rtl\.css$” css_only

Then right after the:
Order Allow,Deny
Add:
Allow from env=css_only

Additional files can be added as necessary. Or, if you want to allow access to all .css files , use:
SetEnvIf Request_URI “\.css$” css_only

I am looking for the same exact solutions… my suggestion is to automatically update the .htpasswd file with user’s credentials so that the same credentials exist in both locations (database credential compare for segregated content delivery and standard ntlm style user authentication). If the authentication password file is auto-updated upon user creation, user deletion, credential changes and includes access grouping to mimic the ‘roles’ in the current wp system, then future plugins and future wp updates should have the capacity to have an actual authentication/security system.

If anyone has started or completed a project like this, please post here for the rest of us to have wp components that we need.