orca26

Hey, thanks for your help.

I tried several different configurations to exclude the my-account page, but none of them work.

It seems to me that the my-account page does include something from the wp-admin directory in a way that the webserver also asks for HTTP auth on this page, which it should not.

Is there a “real” URL of the my-account page (to where the request for /my-account/ gets redirected)?

The following tests at least indicate that the my-account page URI also contains “wp-admin”:

Variant 1:

• Want to access URL containing “wp-admin”?
• URL does not contain “my-account”? -> provide HTTP auth credentials

<If "%{REQUEST_URI} =~ /wp-admin/">

<If "%{REQUEST_URI} !~ /my-account/">
AuthType Basic
AuthName "Protected area"
AuthUserFile /home/sites/.htpasswd
Require valid-user
</If>

</If>

When I access the /wp-admin directory, authentication is needed. But still, when accessing the customer login (my-account) page HTTP authentication is also needed, which does not make any sense to me.

According to this code, the URI of the my-account page does contain the string “wp-admin”, otherwise I can’t explain how and why both conditions of the if-statements are true.

Variant 2:

SetEnvIf Request_URI .* noauth
SetEnvIf Request_URI wp-admin !noauth
SetEnvIf Request_URI my-account noauth

<RequireAny>
  Require env noauth
  Require valid-user
</RequireAny>

Thanks for your help again!

Alright, I understand that.

But I wonder if anyone has an idea how it could have been possible to leave a comment without using a comment form?

Is/Was there a way to comment using wp-comments-post.php (or another API) so that it registers receiving a comment without checking if the post exists?

I could not find any exploits regarding the commenting function within the latest changes. Is there a way to check if the site has been compromised while achieving this strange behaviour?

Thank you very much for any thoughts on that!