Password-Protect a Directory with .htaccess

  • I researched quite a bit and the best WordPress-aware explanation I found is here. I’ve done all that, but the last step — stopping WP from throwing a Page Not Found error before the server’s password challenge is popped up — isn’t working.

    There’s one small difference between the example they give of WP mod_rewrite code and the code I found in my .htaccess file. (It’s the first Rewrite rule in the WP section.) Since I don’t “speak” mod_rewrite, I’m posting below the new .htaccess file I created and asking you smart folks: Can you see why WP is still throwing Page Not Found before the server’s challenge can pop up?

    # This file belongs in the root directory of the Web site (/www).

# The first block of code is required by the .htaccess file that password protects the /www/archive directory.
# It prevents WordPress from throwing a Page Not Found error before the password challenge can pop up.

# Our installation of WordPress isn't using Pretty Permalinks (mod_rewrite),
#    so I don't know why WordPress has written the second block of code below.
#    (We're using Custom Structure: /index.php/%post_id%/%postname%/ )
#
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/(failed_auth\.html).*$ [NC]
RewriteRule . - [L]
</IfModule>

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

    Thanks for your help!

Viewing 12 replies - 1 through 12 (of 12 total)

  • Searching for the same issue. I have two sites running WP. On one, the password protection works; the other gives the 404 page. blah

    You don’t need

    <IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/(failed_auth\.html).*$ [NC]
RewriteRule . - [L]
</IfModule>

    At the end of the file, just add 

    AuthType Basic
AuthName "restricted area"
AuthUserFile /home/yourusername/html/protected-dir/.htpasswd
require valid-user

    You would need to generate the .htpasswd file using a tool like

    https://www.kxs.net/support/htaccess_pw.html

    and save it as declared above, which is

    /home/yourusername/html/protected-dir/.htpasswd

    Please note that this is not the exact path, if you use cPanel, it should be something similar to

    /home/yourusername/public_html/protected-password/.htpasswd

    where you can create a folder called “protected-password” or save the file else where you want that is above public_html so it can’t be accessed publicly by your site visitors.

    @ Self Hosted WP.com – I was using the tool in cPanel to assist with creating the .htaccess entries and password files. But I’d get a redirect with a 404 error. The solution ended up being simple:

    at the top of /.htaccess add

    #next two lines allow password protected directories with 404 errors
    ErrorDocument 401 ./error.html
    ErrorDocument 403 ./error.html
    #

    then create error.html file.

    @westpointer Thanks for sharing. Usually that isn’t necessary, maybe it’s due to Apache core settings.

    Glad it’s solved.

    Thread Starter Charlie

    (@cdarling)

    @ WestPointer — I’d like to try your solution, but I’ve got questions.

    1) Those two lines — I add them at the beginning of the .htaccess file that’s in the root of the Web site, right? Not in the .htaccess file that’s in the password-protected directory, right?

    2) I don’t understand what the error.html file does. Could you give an example of what goes in that file?

    3) Am I correct that the error.html file goes in the root of the Web site?

    Thanks for your help!

    @charlie:

    1)Correct

    2) It’s just a simple HTML file, you can put a simple message or customized beautiful page. The following basic HTML will do:

    <html>
<head>
<title>401 Error</title>
</head>

<body>
<h1>Sorry, 401 Error...</h1>
</body>
</html>

    3) Yes.

    I was trying to solve the same problem with WordPress’s rewrite rule interfering with .htpasswd protected folders. The simplest solution is actually to change WordPress’s rewrite rule

    From
    RewriteRule . /index.php [L]

    To

    RewriteRule ./ /index.php [L]

    With this, the additional block of rewrite rule doesn’t seem to be needed anymore.

    @xephan Thanks for sharing!

    @xephan… Thanks indeed!

    There really shouldn’t be this level of challenge encountered when sites require non-WP-related password-protected directories to co-exist at the same level.

    Indeed, such accommodation should be defacto OOTB.

    amitramani

    (@amitramani)

    Thanks, @xephan!
    After trying the several other solutions and failing, I decided to give this a shot.
    And it works beautifully.

    Siteground also recommends this same procedure. Lets hope my htaccess does not get overwritten by some other plugin.

    https://kb.siteground.com/how_to_exclude_a_folder_from_wordpress_permalinks/

    Thanks @amitramani — updating the WordPress main .htaccess file as explained simply in the link you provided worked perfect for me!

    https://kb.siteground.com/how_to_exclude_a_folder_from_wordpress_permalinks/

    So my main .htaccess file is this:

    # BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule . /index.php [L] # replaced with next line...
RewriteRule ./ /index.php [L]
</IfModule>
# END WordPress

    And my subfolder that I want to password protect has .htaccess file:

    AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /home/juice/.htpasswds/.htpasswd
Require valid-user

    And no more WordPress 404 error! Woohoo!

    Thanks again,
    Marty McGee

    I edited .htaccess to
    RewriteRule ./ /index.php [L]

    It worked fine to get the password protected directory working. My problem now is that the 404 page changes. I get a generic 404 error, rather than the 404 theme page I’m using.

    If I go to a URL that doesn’t exist like mydomain.com/test I get this:
    Not Found
    The requested URL /test was not found on this server.
    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    However, if I go to mydomain.com/test/ (with the ending slash) I get the 404 page from my theme, with the template, sidebar, etc.

    Is there something I can to to ensure I always get the 404 page from my theme, and not the generic 404?

    Thanks,
    Don

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Password-Protect a Directory with .htaccess’ is closed to new replies.