htaccess in wp-admin affects customer login page

Hi @orca26

To solve this issue, you could consider modifying your .htaccess file to exclude the /my-account/ page from the HTTP Basic Authentication. This would ensure that customers can access the login page without any popups.

However, if you’re not comfortable with editing the .htaccess file, we recommend using a security plugin that can help manage access to your admin area without affecting WooCommerce’s functionality. Jetpack, for example, is a comprehensive security solution that integrates seamlessly with WordPress and WooCommerce, and it offers a range of features to protect your site.

You could also use another plugin like Wordfence Security or WPS Hide Login.

If you’re interested in exploring other ways to enhance your site’s security and functionality, we also offer a variety of premium WooCommerce extensions on Woo.com that could be beneficial.

I hope this information helps! Please let us know if you need further clarification or have any other questions.

Hey, thanks for your help.

I tried several different configurations to exclude the my-account page, but none of them work.

It seems to me that the my-account page does include something from the wp-admin directory in a way that the webserver also asks for HTTP auth on this page, which it should not.

Is there a “real” URL of the my-account page (to where the request for /my-account/ gets redirected)?

The following tests at least indicate that the my-account page URI also contains “wp-admin”:

Variant 1:

• Want to access URL containing “wp-admin”?
• URL does not contain “my-account”? -> provide HTTP auth credentials

<If "%{REQUEST_URI} =~ /wp-admin/">

<If "%{REQUEST_URI} !~ /my-account/">
AuthType Basic
AuthName "Protected area"
AuthUserFile /home/sites/.htpasswd
Require valid-user
</If>

</If>

When I access the /wp-admin directory, authentication is needed. But still, when accessing the customer login (my-account) page HTTP authentication is also needed, which does not make any sense to me.

According to this code, the URI of the my-account page does contain the string “wp-admin”, otherwise I can’t explain how and why both conditions of the if-statements are true.

Variant 2:

SetEnvIf Request_URI .* noauth
SetEnvIf Request_URI wp-admin !noauth
SetEnvIf Request_URI my-account noauth

<RequireAny>
  Require env noauth
  Require valid-user
</RequireAny>

Thanks for your help again!

Hello @orca26,

It looks like you’re on the right track with excluding the my-account page in the .htaccess file. However, the issue might be due to the way WordPress internally rewrites URLs.

The /my-account/ URL is not a real directory. So, when you’re trying to exclude it in the .htaccess file, it might not be recognized.

The simplest solution would be to use a security plugin, as suggested before, to manage access to your admin area. This would avoid any potential conflicts with WooCommerce’s functionality.

Alternatively, you could try adding the following code to your .htaccess file:

AuthType Basic
AuthName "Protected area"
AuthUserFile /home/sites/.htpasswd
Require valid-user

This code will apply HTTP Basic Authentication to wp-login.php, admin-ajax.php, and all files in the wp-admin directory except for the my-account.

I wish I could help more, but hopefully, this gets you going in the right direction to get the job done.