Make WordPress Core

Opened 10 years ago

Last modified 3 years ago

#28798 reopened enhancement

htaccess and protected option

Reported by: yudesign's profile YU.Design Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.0
Component: Posts, Post Types Keywords:
Focuses: Cc:

Description

I already tried to solve this problem in the forum and was told that it is a matter of the core. So here is not a bug but my suggestion for an improvement of the following matter:

For security reasons I use htaccess to protect my wp-login.php.

Now I'd like to protect a single page by using the WordPress password protected option. Unfortunately the /wp-login.php?action=postpass is needed by this option. In the consequence all the visitors that want to see my password protected page need as well my htaccess password for wp-login or I can't use htaccess to protect my wp-login.

Would it be possible to use the password protection for single pages and posts without using wp-login.php. Maybe by creating an extra transfer page for protected content naming differently as wp-login?

I'm no developer and just talking from the perspective of a WordPress user. In case this idea is foolish I excuse myself in advance.

Change History (6)

#1 follow-up: @nacin
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

A long while ago, we handled post passwords through a separate file, but there was little need to do so.

Hypothetically you could change this, but it'd be kind of a pain. You'd have to filter the form action URL used in get_the_password_form() and then handle the code in the 'postpass' branch by yourself. That's not ideal. A simpler option is to not lock down wp-login.php when the URL is action=postpass.

#2 @LukeWordPress
10 years ago

  • Resolution worksforme deleted
  • Status changed from closed to reopened

SetEnvIf does work with Query_String. So I tried using RewriteCond %{QUERY_STRING} action=postpass [NC] within .htaccess but unfortunately the mod_auth module gets executed before mod_rewrite. I am back to square one.

It would be great if post passwords are through a separate file. This gives users the option of locking down the wp-login.php file against a brute force attack. I understand that this is not foolproof but some security is better than none.

#3 @SergeyBiryukov
10 years ago

  • Milestone set to Awaiting Review

#4 @SergeyBiryukov
8 years ago

  • Component changed from General to Posts, Post Types

#5 in reply to: ↑ 1 @briandd
3 years ago

Replying to nacin:

A long while ago, we handled post passwords through a separate file, but there was little need to do so.

Hypothetically you could change this, but it'd be kind of a pain. You'd have to filter the form action URL used in get_the_password_form() and then handle the code in the 'postpass' branch by yourself. That's not ideal. A simpler option is to not lock down wp-login.php when the URL is action=postpass.

#6 @briandd
3 years ago

I had opened a similar request #52390

Today i found this one, i wanted to comment the suggestion above, as it's pretty old.

For everybody trying to do this: do not do it. Reset/login functions can be called by overriding action with POST, so if you allow action=postpass , you also allow everything else. Maybe it was possible in the past but now it is not.

I really think both pages should be separated..

Last edited 3 years ago by briandd (previous) (diff)
Note: See TracTickets for help on using tickets.