[Plugin: BulletProof Security] Directory Passwords causes 500 error

Which directory?
Are you adding htaccess code such as this below for password protecting directories or are you using your web host CP?

authtype basic
authgroupfile /foo/bar
authuserfile /path/to/.htpassword
authname “Foobar Secure Area *** Password Required”
require user foobarDude

My guesses at what might be happening.

you are trying to add password protection to folder /foo/.htaccess
and you are using the rewrite rules for your website root folder / not /foo rewrite rules in the /foo folder. Or rewrite rules do not need to be used at all.

The WP htaccess code you are showing above is for your root site directory. Are you trying to password protect your entire wordpress site?

You are trying to password protect your /wp-admin folder, which if you use rewrite rules for your /wp-admin folder will break your site and generate 500 Internal Server errors – no URL rewriting should be occurng in the wp-admin folder.

Please add some specific details about your site structure, directory in question, goal, etc etc. Thanks.

Hi AITpro,

Thank you for your quick response; I don’t know how I missed out which folder I was referring to!

I want to protect my wp-admin folder further, I have a dynamic IP, so it wasn’t feasible to put IPs in the htaccess.

I have little knowledge of htaccess files, that’s why I love BulletProof Security so much.. I didn’t realise that you can actually request a password via the htaccess.

My original intention is to use the cpanel’s directory security feature to provide a password before it serves the /wp-admin page. This works without rewrite code I posted previously, but with the rewrite code, I have to disable the directory security because of the 500 errors.

Is it better to request a password in the method you have stated above? I don’t understand what you are referencing with /foo/bar?

If using the cpanel’s directory security feature requires that I need to relax the security on the htaccess file/a step in the wrong directory to secure it further then maybe you advise not to use it?

Thank you

Tom

Thought you might have forgotten to add a little something. he he ?? All good. I took some logical guesses and it looks like i got pretty close to the what the issue is.

Yep it is fine to use your cpanel to create password protected directories. It is the same exact thing and is usually the quickest method instead of adding the .htaccess code and files manually.

So you actually do not need and should not be adding any URL rewriting code for your /wp-admin folder.

The only thing that would concern me is that WordPress would somehow lose some functionality by password protecting the wp-admin folder. I think logically this is ok, but I have never tried this.

See this WordPress Codex on adding password protection for the wp-admin folder and also SSL and some other neat things to Harden WP.
https://codex.www.ads-software.com/Hardening_WordPress#Securing_wp-admin

So after you use cpanel to automatically create the .htaccess file for you then the only other thing you might want to add to that .htaccess file is the security Exploits code from the BPS Master wp-admin .htaccess file to that file. Your .htacess authentication code comes first in order then you would add the security filters after that authentication code.

Thanks,
Ed

Ed, Thanks for your reply; I am able to understand better having spent the entire day trying to get it to work!

When I password protect the wp-admin directory, when the server processes the root htaccess, something in the code is stopping it from being accessed and I get a 404 page. (password protecting the directory causes the 404)

When I comment out the following lines:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
#RewriteRule ^index\.php$ - [L]
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteCond %{REQUEST_URI} !^/wp-admin/.+$ #code1
RewriteRule . /index.php [L]
</IfModule>

I am able to get the authentication box when I browse to /wp-admin

I think the htaccess is able to rewrite anything which doesn’t exist and provide a 404 page, as the server cannot access the wp-admin, i think it is treated as a non existent directory and processes as 404.

How do i edit the htaccess so that I never re-write the wp-admin folder?

My host’s CP only allows me to put in basic auth, I was hoping to change it to digest.. unknowingly if it is supported. My htaccess under wp-admin says:

AuthType Basic
AuthName "Message to display"
AuthUserFile "/home/...etc..blabla.."
require valid-user

<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

Nicolas Kuttler suggested I always need admin-ajax.php and wp-admin/css/install.css (sometimes used on the front end) accessible… What is the syntax for adding that css file to the exception of the directory password?

Thanks Ed, Much appreciated. ??

Tom

hmmm this is not a standard WordPress line of htaccess code.
#RewriteCond %{REQUEST_URI} !^/wp-admin/.+$ #code1

I guess you added it yourself?

Instead of doing an “is not” condition why don’t you try an “is and skip”

RewriteCond %{REQUEST_URI} ^/wp-admin/ [NC]
RewriteRule . – [S=1]

or this is kind of an interesting possibility in a general way just as an example of inluding multiple directories. this obviously is not going to help with what you are doing, but is has other possible uses.

RewriteCond %{REQUEST_URI} !^/(wp-admin|blah|foo|bar)
RewriteRule ^(.*)$ https://www.example.com/index.php/$1

Yep you will have to make some files accessible i’m pretty sure or WordPress will break. I have never played around with doing this so I can’t offer you definite working solutions. So you will just have to do trial and error experimentation. What i recommend is that you set up a php error log if you have not already so that when a file in wp-admin is needed and cannot be accessed by “Owner” then when WordPress breaks you should see a php error in your log file indicating which file cannot be accessed / processed.

Like i said since this is uncharted waters for me and the WP peeps are telling you this could break WordPress then you will just have to try a little of this and then a little of that to figure out exactly what works and what does not. Thanks.

Hi,

For some reason the rule will not skip:

<IfModule mod_rewrite.c>
RewriteEngine On

RewriteCond %{REQUEST_URI} ^/wp-admin/ [NC]
RewriteRule . - [S=30]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

RewriteBase /
RewriteRule ^index\.php$ - [L]

When I comment out the RewriteCond %{REQUEST_FILENAME} !-f it works but as a result, I don’t get a WP 404 error, instead a dirty one.

I have tried all the combinations below:
RewriteCond %{REQUEST_FILENAME} !^/wp-admin/$ [NC]
RewriteRule . – [S=30,L]

The rule already appears to work using the original one above, but doesn’t skip the rest of the Rewrites. Maybe It skips all other Request_URLs and maybe doesn’t skip the FILENAME rules?

Is it possible to make exceptions in the Fequest_Filename rules:
RewriteCond %{REQUEST_FILENAME} !-f !^/wp-admin/
(this doesn’t work)

In the meantime, will try swopping the Request_URL for Request_filename..

Thanks!

Still no luck..

This guy is having the same problem as me:
https://www.webmasterworld.com/forum92/4676.htm

and in another thread, a guy removes the:
RewriteCond %{REQUEST_FILENAME} !-f
completely and replaces it with:

RewriteCond %{REQUEST_URI} !^/(content/view/.+|index\.php)$
RewriteRule ^(.*)$ /drupal/$1 [QSA,L]

RewriteRule ^content/view/.+$ /index.php [L]

on here: https://forum.modrewrite.com/viewtopic.php?f=4&t=9167

I have tried but no luck. I think it is the way the server handles protected directories.

Solved; I think.. All I had to do was put in ErrorDocument 401 default in;

ErrorDocument 401 default

# BEGIN WordPress
<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /
RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Oh Man!

and the wp-admin htaccess file looks like this:

AuthType Basic
AuthName "tom"
AuthUserFile "mylocation/wp-admin/passwd"
require valid-user

<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

<Files install.css>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

Would have been nice to put both files on the same line, ie:
<Files admin-ajax.php,install.css>
But this didn’t work.

The <Files install.css> works regardless it is inside wp-admin/css/

Thanks for your help.. ??

Well done! Your solution is much “cleaner” and will not cause unnecessary looping. ??

Have you tried using FilesMatch instead of just Files? They are both pretty much the same thing, but FilesMatch is supposedly the “better” method.

<FilesMatch “^(admin-ajax\.php|install\.css)”>
Order allow,deny
Allow from all
Satisfy any
</FilesMatch>

Also I seem to remember that the skip rule would have to come after -f and -d conditions…

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

… but the direction you are going in is a much better approach all around so I would not try and make this work.
Thanks

Hi, Yeah, the FilesMatch works great.

Thank you very much for you help!