Home » Wordpress » How can I access a password protected directory when htaccess redirects to 404?

How can I access a password protected directory when htaccess redirects to 404?

Posted by: admin November 30, 2017 Leave a comment

Questions:

I have a wordpress install with the following htaccess:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_URI} !^/secure-area/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

and a directory /public_html/secure-area/ which has been protected using cPanel.

  • If I turn off prettylinks in WordPress, I can access the directory normally, but otherwise, I am redirected to the WP 404 page.
  • I can access a directory that is not password protected without any problems.

I’m asking here because this is an htaccess problem, not just wordpress specific, and the answers I’ve seen over here seem better qualified.

Many thanks, Tim

Similar questions which don’t address password protected directories:

Answers:

I had this same problem under cPanel. In my case it was due to the “~/.htpasswds/public_html/secure-dir/passwd” file/directory not having the correct permissions. I called the hosting company and they chown’d the file with the correct permissions and it worked.

It really had me stumped in that it looked like the directory protection was working b/c it was popping up the AUTH window. But when Apache went to verify the passwd it would choke and serve the WP standard 404 page.

Questions:
Answers:

The 404 is from not having “401” Error document – one is specified by default with cpanel but not usually not set up by the host. I created a blank document and added this to my .htaccess:

ErrorDocument 401 /empty.html

I did this to protect my wp-admin folder from future/unknown WordPress exploits after someone defaced my site.

Questions:
Answers:

I’m still interested in solving this, because I’d like a portable solution, but my workaround is that I’ve removed password protection and restricted access to my own IP address.

I added an htaccess file in the /secure-area/ directory with the following code from Perishable Press – Studpid htaccess tricks:

# deny all except those indicated here
<Limit GET POST PUT>
 order deny,allow
 deny from all
 allow from x.x.x.x
 allow from .*domain\.com.*
</Limit>

I’ve got a few scripts i run in there, so i also add:

# enable directory browsing
Options All +Indexes

for ease of use, given that it (should be) a secure directory.

I’m interested in hearing whterh this is a silly, insecure way of going about things 🙂 Ta

Questions:
Answers:

I was having the same problem and this worked for me: http://support.aiso.net/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=246

Just switch the 401 Error Document line to read:
ErrorDocument 401 default