Some days ago I decided to improve the security of my new Wordpress blog by using .htaccess and Basic Authentication to protect the wp-admin folder. This task was rather trivial as the whole procedure is well documented in the Apache manual and there are convenient online tools to create the necessary .htaccess and .htpasswd files (.htaccess generator & .htpasswd generator) for those who don’t have their own server and use shared hosting instead.
So far, so good. But when I tried to access wp-login.php, which is located in Wordpress’ base folder, I had to realize that it uses two CSS files from the folder wp-admin/css. As wp-login.php and the two CSS files should be accessible to any visitor of my blog, I needed to find a way to exclude the subfolder wp-admin/css from the Basic Authentication protecting wp-admin. Unluckily, it seems that there is no specific command for that purpose.
After crawling Google for approximately two hours I finally managed to find a solution, which needs only three lines of code to bypass the Basic Authentication of the parent directory. Simply create a new .htaccess file in the subfolder you want to exclude from the authentication and add the following lines:
1
2
3
| Order Deny,Allow
Allow from all
Satisfy any |
“Allow from all” will grant any IP address access to this folder. But the decisive line is ”Satisfy any”, which tells the server to require either a correct Basic Authentication or the satisfaction of the “Deny/Allow” properties (the standard is “Satisfy all”, which requires both). As “Allow from all” gives access to anyone, this effectively neutralizes the Basic Authentication inherited from the parent folder.
1 User viewing this page. (1 Guest)
l0rd: You save me tens of minutes searching and reading manual for the correct syntax and...
Vad: is it possible to exclude a certain file in protected directory?
Truden: Not sure that this is true:), but thanks for a post. Truden
Loading ...
awesome this saved me
Thanks for the post. This article helped me find the solution immediately.
Thanks much for posting this. I was really banging my head against the wall with exactly the same need. I don’t think I would ever have found the “satisfy all” directive.
This was a bit of a life-saver that solved a rather unique need.
Thanks so much again!
qclwu usxv nxay dczuktp kbcfspdnj befjvzr bernp
I have no idea whether this comment was written in an actual language / gibberish or just represents a string of pseudo-random characters.
The above was spam I guess
Awesome guide!
Exactely what I need!
You are most likely right about the spam nature of the above comment. But as this blog doesn’t have to many comments yet, I try to produce as few false positives as possible in my capacity as a human spam filter.
Hi,
I protected the wp-admin directly. (.htaccess and .htpasswd are directly under wp-admin folder) So I guess I can’t use this solution?
If possible can you post the the .htaccess code that you are using under your main WP installation ?
Thanks! I have googled for half an hour looking for this solutions…
lucky less than 5 min. Thanks :p
Thanks that’s saved me lots of time:)
is it possible to exclude a certain file in protected directory?
You save me tens of minutes searching and reading manual for the correct syntax and solution!
Thanks for publishing!