htaccess on my wp-login.php

  • Hello,

    I added a basic authentication on my wp-login.php page.

    When a user logs out, he has to be authenticated on my protection (it is a problem).

    I can see : /wp-login.php?action=logout

    The problem is that the robots know the url wp-login.php . I would like to change this url. WooCommerce always use wp-login.php ?

    Would you have a solution to this?

    Thank you in advance for your answers.

    Regards,

    https://www.ads-software.com/plugins/woocommerce/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor Mike Jolley

    (@mikejolley)

    wp-login.php is the login page for WordPress. WooCommerce does not have or need its own account system – it just uses WordPress ??

    Thread Starter my-press

    (@my-press)

    I do not understand the answer because I ‘m sure it’s possible.
    I could find some configuration for this but I can not put them in place .

    Maybe with SetEnvIf.

    Exemple 1 :

    <FilesMatch “^(wp-login.php)”>
    SetEnvIf Query_String ^action=logout(.*) allow

    Options -Indexes +FollowSymLinks +MultiViews
    AuthName “Protected page. If you are not allowed to be here, leave the page”
    AuthType Basic
    AuthUserFile “YOUR_HTACCESS”

    Order Deny,Allow
    Satisfy any
    Deny from all
    Require valid-user
    Allow from env=allow
    </FilesMatch>

    Exemple 2 :

    <FilesMatch “^(wp-login.php)”>

    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/wp-login\.php [NC]
    RewriteCond %{QUERY_STRING} ^action=logout
    RewriteRule ^ – [ENV=requireAuth:1]

    Options -Indexes +FollowSymLinks +MultiViews
    AuthName “Protected page. If you are not allowed to be here, leave the page”
    AuthType Basic
    AuthUserFile “YOUR_HTACCESS”

    Order Deny,Allow
    Satisfy any
    Deny from all
    Require valid-user
    Allow from env=requireAuth

    </FilesMatch>

    Thread Starter my-press

    (@my-press)

    In reading again your answer, actually WooCommerce uses wp- login.php . I know that because I tried to bypass authentication with my button ” disconnect” .

    When a user of my WooCommerce tries to disconnect it, he receives authentication. This authentication is present to prevent brute force attack but stop user to log off .

    I hope my explanation is clear .

    thank you in advance

    Plugin Contributor Mike Jolley

    (@mikejolley)

    What logout link are they using?

    I’m using esc_url( wc_logout_url( wc_get_page_permalink( 'myaccount' ) ) ) and the users always get the server-authentication after logout. Login works.
    I’ve insered this code in my htaccess:

    <Files wp-login.php>
   AuthType Basic
   AuthName "Restricted Admin-Area"
   AuthUserFile /www/htdocs/xxx/xxx.de/.htpasswd
   Require valid-user
</Files>
    • This reply was modified 8 years, 2 months ago by ratoli.
    Thread Starter my-press

    (@my-press)

    Thank you very much for your answer @Ratoli.
    To close the topic, I found how to handle authentication.

    RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-login.php$
RewriteCond %{QUERY_STRING} ^action=logout
RewriteRule ^ - [E=noauth]

<FilesMatch "^(wp-login.php)">

        Options -Indexes +FollowSymLinks +MultiViews
        AuthName "Protected page. If you are not allowed to be here, leave the page"
        AuthType Basic
        AuthUserFile "/etc/apache2/htaccess/myhtaccess"
        Require valid-user

        Order Deny,Allow
        Deny from all
        Allow from env=noauth

        Satisfy any

</FilesMatch>

    This works very well !

    Thread Starter my-press

    (@my-press)

    In the url, I could find a parameter of this type: ?action=logout

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘htaccess on my wp-login.php’ is closed to new replies.