Forum Topic: WP htaccess code breaks protected subdir

Forum: .htaccess Forum : WordPress • Posted by Steve Jones • Updated:

I have a userid – let’s call him ‘mort’ – with several domains, some with WordPress and some without. On the server they look like this:

/home/mort/domainwithoutWP.com/
/home/mort/domainwithWP.com/

I’ve put most of the 5G stuff in /home/mort/.htaccess and it works fine on all of the domains. Let’s call that the user root .htaccess file.

For the domains which have WordPress I have put an additional .htaccess dir in their root with the 5G WP stuff, and some other WP stuff. Let’s call that the domainWP root htaccess file:

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

order allow,deny
deny from all

#5G:[WordPress]
RedirectMatch 403 /\$\&
RedirectMatch 403 (?i)/\&(t|title)=
RedirectMatch 403 (?i)/\.(bash|git|hg|log|svn|swp|tar)
RedirectMatch 403 (?i)/(1|contact|i|index1|iprober|phpinfo|phpspy|product|signup|t|test|timthumb|tz|visit|webshell|wp-signup).php
RedirectMatch 403 (?i)/(author-panel|class|database|manage|phpMyAdmin|register|submit-articles|system|usage|webmaster)/?$
RedirectMatch 403 (?i)/(=|_mm|cgi|cvs|dbscripts|jsp|rnd|shadow|userfiles)
RewriteCond %{REQUEST_URI} !^/wp-admin/ [NC]
RewriteCond %{REQUEST_URI} !^/wp-login.php [NC]
RewriteCond %{REQUEST_URI} (wp\-login|login)\.php [NC,OR]
RewriteCond %{REQUEST_URI} /(wp\-admin|admin|wp\-login|login)/?$ [NC]
RewriteRule .* http://domainwithWP.com/wp-login.php [R=301,L]

Some subdirectories have their own .httaccess file for authorization purposes, such as /home/mort/domainwithWP.com/protecteddir/.htaccess. Let’s call that the directory .htaccess file:

AuthType Basic
AuthUserFile /home/mort/domainwithWP.com/protecteddir/.htpasswd
AuthName "stats"
require valid-user
DirectoryIndex acustompage.html

My problem is that in domains which have the domain WP root access file, subdirectories which are protected with the directory .htaccess file are throwing a 404 error.

I have narrowed the problem down to this portion of the domainWP root htaccess file:

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

If that code is commented out, my protected dir works fine – I am prompted to enter the userid & pw and allowed in.

But if that code is not commented out, I get a 404 error.

I’ll be grateful if you can lead me out of the weeds. You may have detected that I don’t know much about this stuff. I shall not be insulted if you speak slowly with short words.

Regards,

Steve Jones

1 Reply to “WP htaccess code breaks protected subdir”

Posted by Jeff Starr

Hi Steve,

This looks like a case of the WP issue reported here: https://core.trac.wordpress.org/ticket/2397

There are numerous workarounds available, including the following:

  1. Place the authentication directives before the WP rules: more info
  2. Create a 0 byte file called “empty”. Add this to the .htaccess output: ErrorDocument 401 empty: more info
  3. Further explanation and more possible solutions: more info

These are mentioned in the order that I would try them.. (i.e., least invasive to more complicated). Hopefully that sheds some light on the issue!