2

I have an htaccess file that's being used to password protect a file named wp-login.php (used by Wordpress for login).

Here's what the htaccess looks like:

ErrorDocument 401 "Authorization Required"
<FilesMatch "wp-login.php">
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/username/.wp-admin
require valid-user
</FilesMatch>

I want to have the password in place on just the file under the directory xyz, so xyz/wp-login.php should have a password.

However, the problem is that I have another wp-login.php file under the xyz/abc/ directory (subdirectory of abc), which I do NOT want to password protect. But this happens automatically with htaccess directives - so my question is how to prevent the directive from cascading to a subdirectory?

I'm aware of the Directory directive with a nested File directive, but that seems to still cascade the password protection - note that I do have access to my httpd.conf file since I'm using a VPS and not shared hosting.

Thanks!

Abey
  • 101
  • 2
  • 10
Joseph Porter
  • 23
  • 4

2 Answers2

1

Instead of FilesMatch set your .htaccess like this:

SetEnvIfNoCase Request_URI "^/wp-login\.php" AUTH_NEEDED

AuthType Basic
AuthName "Restricted"
AuthUserFile /home/username/.wp-admin
Satisfy    any
Order      allow,deny
Allow from all
Deny from env=AUTH_NEEDED

This will require basic authentication only when URI is http://site.com/wp-login.php while leaving http://site.com/xyz/wp-login.php etc free from authentication.

anubhava
  • 761,203
  • 64
  • 569
  • 643
0

Basically you create a new .htaccess file in your sub directory to override the root one. There are more details regarding this described in this question:

How to remove .htaccess password protection from a subdirectory

Hope it helps.

Community
  • 1
  • 1
Qben
  • 2,617
  • 2
  • 24
  • 36