Solved

Need to exclude an .htaccess/.htpasswd protected subdirectory from WordPress toplevel .htaccess

Posted on 2014-01-03
2
1,235 Views
Last Modified: 2014-01-04
For years, I had a subdirectory such as

http://www.centerforward.com/test

available to myself for my personal use, password protected with .htaccess and .htpasswd, ie an .htaccess in /test with:
---------------------------------------------------
AuthUserFile /home/centerfo/public_html/test/.htpasswd
AuthGroupFile /dev/null
AuthName "Authorized user"
AuthType Basic

<Limit GET>
require user testuser
</Limit>
---------------------------------------------------
(with a corresponding .htpasswd that allowed "testuser" to login and see /test.

But when I made centerforward.com a WordPress site instead of a handcoded site, WordPress came with its own .htaccess that messed up my /test from working, and instead of resolving with the password login prompt, it would resolve to my WP website with a "404 Page not found" - as you can see now:

http://www.centerforward.com/test/

*IF* I remove the .htaccess from /home/centerfo/www/test/, (ie NO password protection), THEN it comes up fine.  But as soon as I put the .htaccess back (because I NEED password protection), the 404 not found comes back.

This link seemed to address my problem:

http://tanyanam.com/technology/wordpress-exclude-directory-from-url-rewrite-with-htaccess

But her solution for /home/centerfo/www/.htaccess didn't work for adding password protection inside /test:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !^/(test|test/.*)$
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

If I attempt the password protection in /test, then it's 404 not found, and if I remove the password protection (which I can't leave like that), then it resolves fine.

My linux admins are telling me this is outside the scope of that they can help me with (which is really lame).  I greatly appreciate any help, as well as recommendations for an affordable linux admin!!  

Thank you so much,
Alan
0
Comment
Question by:centerforward
2 Comments
 
LVL 70

Accepted Solution

by:
Jason C. Levine earned 500 total points
ID: 39755099
*IF* I remove the .htaccess from /home/centerfo/www/test/, (ie NO password protection), THEN it comes up fine.  But as soon as I put the .htaccess back (because I NEED password protection), the 404 not found comes back.

This is a long-time issue with WordPress when attempting to protect a subdirectory.  Otto (one of the WordPress core developers) addresses it here:

http://wordpress.org/support/topic/htaccess-and-subdirectories

Read through that thread to see why it happens.  Quoting:

.htaccess files are additive. Whenever you request a page, the webserver basically goes through every directory down the tree from the root (specified by the closest match of <Directory ...> in the httpd.conf file), and adds all the .htaccess files together. As it traverses them, it parses each one. Later .htaccess files override previous ones, but only for the same specified items. RewriteRules are cumulative.

So what I think is going on is that the authorization in the password protected directory is forcing a 401 response ("Authorization Required") back to the client. Normally, the client would get the 401 and ask for a password.

However, in this case, this 401 response is intercepted by the WordPress RewriteRules which says to rewrite everything to WordPress. This is because .htaccess's are cumulative and your closest matching Directory is the root.

The solution (which is somewhat easy to miss) is:

In WordPress's .htaccess file, add this to the top of the file:

ErrorDocument 401 /path/to/onerror.html

See if that makes any difference. If it doesn't, add another line with 403 instead of 401.
0
 

Author Closing Comment

by:centerforward
ID: 39756653
YES ,,,,, THAT DID IT!!!!

Worked perfect.  Just added that dummy file, and the line and path to it in the main WP .htaccess.  As long as the sub .htaccess and .htpasswd are set up right, it finally prompts the pw login and works perfect. !

That has been driving me crazy for WEEKS man.  What a random and tricky solution,, I'm so glad you remembered that link and where to find it.  

THANK YOU SO MUCH !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Do you think that WordPress is just for blogs?  Think again!  WordPress is really a fantastic all around platform that you can use to develop websites on.  Integrated into its basic functionality is the ability to create pages using your choice of a…
So you have coded your own WordPress plugin and now you want to allow users to upload images to a folder in the plugin folder rather than the default media location? Follow along and this article will show you how to do just that!
The purpose of this video is to demonstrate how to reset a WordPress password if you are locked out and cannot reset the password. A typical use would be if you cannot access the email to which WordPress would send the password recovery email to…
The purpose of this video is to demonstrate how to Import and export files in WordPress. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Click on Too…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now