Opened 10 years ago
Last modified 3 years ago
#28798 reopened enhancement
htaccess and protected option
Reported by: | YU.Design | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 4.0 |
Component: | Posts, Post Types | Keywords: | |
Focuses: | Cc: |
Description
I already tried to solve this problem in the forum and was told that it is a matter of the core. So here is not a bug but my suggestion for an improvement of the following matter:
For security reasons I use htaccess to protect my wp-login.php.
Now I'd like to protect a single page by using the WordPress password protected option. Unfortunately the /wp-login.php?action=postpass is needed by this option. In the consequence all the visitors that want to see my password protected page need as well my htaccess password for wp-login or I can't use htaccess to protect my wp-login.
Would it be possible to use the password protection for single pages and posts without using wp-login.php. Maybe by creating an extra transfer page for protected content naming differently as wp-login?
I'm no developer and just talking from the perspective of a WordPress user. In case this idea is foolish I excuse myself in advance.
Change History (6)
#1
follow-up:
↓ 5
@
10 years ago
- Milestone Awaiting Review deleted
- Resolution set to worksforme
- Status changed from new to closed
#2
@
10 years ago
- Resolution worksforme deleted
- Status changed from closed to reopened
SetEnvIf does work with Query_String. So I tried using RewriteCond %{QUERY_STRING} action=postpass [NC] within .htaccess but unfortunately the mod_auth module gets executed before mod_rewrite. I am back to square one.
It would be great if post passwords are through a separate file. This gives users the option of locking down the wp-login.php file against a brute force attack. I understand that this is not foolproof but some security is better than none.
#5
in reply to:
↑ 1
@
3 years ago
Replying to nacin:
A long while ago, we handled post passwords through a separate file, but there was little need to do so.
Hypothetically you could change this, but it'd be kind of a pain. You'd have to filter the form action URL used in get_the_password_form() and then handle the code in the 'postpass' branch by yourself. That's not ideal. A simpler option is to not lock down wp-login.php when the URL is action=postpass.
#6
@
3 years ago
I had opened a similar request #52390
Today i found this one, i wanted to comment the suggestion above, as it's pretty old.
For everybody trying to do this: do not do it. Reset/login functions can be called by overriding action with POST, so if you allow action=postpass , you also allow everything else. Maybe it was possible in the past but now it is not.
I really think both pages should be separated..
A long while ago, we handled post passwords through a separate file, but there was little need to do so.
Hypothetically you could change this, but it'd be kind of a pain. You'd have to filter the form action URL used in get_the_password_form() and then handle the code in the 'postpass' branch by yourself. That's not ideal. A simpler option is to not lock down wp-login.php when the URL is action=postpass.