WordPress.org

Make WordPress Core

Opened 20 months ago

Last modified 13 days ago

#42120 new defect (bug)

htpasswd protection not working due to .htaccess rewrite rules

Reported by: subscriptiongroup Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.8.2
Component: Rewrite Rules Keywords:
Focuses: Cc:

Description

Came across a strange bug whilst trying to password protect our staging sites.

This seems to be a known issue as a solution is already suggested online, however unless you know where to look, the first point of call would be to check with the server configuration/Apache/WHM.

Considering this is a small and easy fix that shouldn't break other features, it would be great to include to core.

The setup

  • WHM 66.0.24 CentOS 7.4
  • Apache
  • Latest WP installed at /public_html

Steps to reproduce

  1. Enable permalinks
  2. Go to cPanel and enable "Directory Privacy" on the public_html folder OR
  3. Update .htaccess to append AND
    AuthType Basic
    AuthName "Test"
    AuthUserFile "/home/username/.htpasswds/public_html/passwd"
    require valid-user
    
  4. Create the passwd file on the directory shown above
  5. Go to your staging site such as staging.website.com and confirm the login prompt is showing
  6. Don't enter any details, but click cancel multiple times
  7. Notice how the page content is now showing.
  8. Try ctrl+u to see the source of the page and notice how the whole HTML is there.

The solution

  1. Edit the .htaccess file in your WordPress home folder
  2. Find the line RewriteRule . /index.php [L]
  3. Replace with RewriteRule ./ /index.php [L]

The sources of this fix
Kudos to WHM Support who directed me to the solution and HostGator for actually publishing it
http://support.hostgator.com/articles/wordpress-preventing-you-from-password-protecting-a-directory

Change History (1)

#1 @SergeyBiryukov
20 months ago

  • Component changed from Networks and Sites to Rewrite Rules
Note: See TracTickets for help on using tickets.