WordPress.org

Make WordPress Core

Opened 5 years ago

Last modified 3 years ago

#28798 reopened enhancement

htaccess and protected option

Reported by: YU.Design Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.0
Component: Posts, Post Types Keywords:
Focuses: Cc:
PR Number:

Description

I already tried to solve this problem in the forum and was told that it is a matter of the core. So here is not a bug but my suggestion for an improvement of the following matter:

For security reasons I use htaccess to protect my wp-login.php.

Now I'd like to protect a single page by using the WordPress password protected option. Unfortunately the /wp-login.php?action=postpass is needed by this option. In the consequence all the visitors that want to see my password protected page need as well my htaccess password for wp-login or I can't use htaccess to protect my wp-login.

Would it be possible to use the password protection for single pages and posts without using wp-login.php. Maybe by creating an extra transfer page for protected content naming differently as wp-login?

I'm no developer and just talking from the perspective of a WordPress user. In case this idea is foolish I excuse myself in advance.

Change History (4)

#1 @nacin
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

A long while ago, we handled post passwords through a separate file, but there was little need to do so.

Hypothetically you could change this, but it'd be kind of a pain. You'd have to filter the form action URL used in get_the_password_form() and then handle the code in the 'postpass' branch by yourself. That's not ideal. A simpler option is to not lock down wp-login.php when the URL is action=postpass.

#2 @LukeWordPress
5 years ago

  • Resolution worksforme deleted
  • Status changed from closed to reopened

SetEnvIf does work with Query_String. So I tried using RewriteCond %{QUERY_STRING} action=postpass [NC] within .htaccess but unfortunately the mod_auth module gets executed before mod_rewrite. I am back to square one.

It would be great if post passwords are through a separate file. This gives users the option of locking down the wp-login.php file against a brute force attack. I understand that this is not foolproof but some security is better than none.

#3 @SergeyBiryukov
5 years ago

  • Milestone set to Awaiting Review

#4 @SergeyBiryukov
3 years ago

  • Component changed from General to Posts, Post Types
Note: See TracTickets for help on using tickets.