0

I have a specific page on my WordPress installation (it's an actual Page in WordPress, just with Pretty URLs) and I want to password-protect it with an .htaccess file provided to me.

For example, the page is http://www.myawesomewebsite.com/members . I want only some users to access it, and their user and password are stored in an .htpasswd file.

The .htaccess file the client sent to me is

AuthUserFile /put the path to the password file here
AuthGroupFile /dev/null
AuthName RESTRICTED
AuthType Basic

<Limit GET POST>
require valid-user
</Limit>

I need to use this parameters to protect this WordPress page. I'm going crazy and my searches are leading to nowhere. Any guesses?

Mateus Pinheiro
  • 870
  • 2
  • 12
  • 20
  • I guess what you are looking for is this https://stackoverflow.com/questions/14603568/password-protect-a-specific-url – BonisTech Jan 22 '21 at 15:21

3 Answers3

1

I was able to do this by:

  1. Creating a directory structure on the file system that is protected by .htaccess.
  2. Adding a custom field to any page that I want to protect that specifies which directory is used to protect it.
  3. Modifying the page.php template to restrict access to the page depending on whether the user has access to the directory specified by the custom field.

The specific steps are as follows:

  1. Create a directory "groups" inside the wp-content directory.

  2. Create wp-content/groups/index.php with the following content:

    <?php
require( dirname(__FILE__) . '/../../wp-load.php' );
class CASGroupAuth {
    static function authenticate(){
        $groups = @$_SESSION['cas-groups'];
        if ( !$groups ) $groups = array();
        $groupdir = basename(dirname($_SERVER['PHP_SELF']));
        $groups[$groupdir] = true;
        $_SESSION['cas-groups'] = $groups;
        if (!@$_GET['redirect_to'] ){
            die("You didn't provide a redirect");
        }
        header('Location: '.$_GET['redirect_to']);
        exit;
    }
}
CASGroupAuth::authenticate();
  3. Create a subdirectory "mygroup" inside the "groups" directory.

  4. Create a symbolic link to the groups/index.php within the mygroups directory. I.e. 

    $ cd mygroup
$ ln -s ../index.php index.php

  5. Add an .htaccess file to your groups/mygroup directory with the appropriate access restrictions. In my case I was using the CAS apache module, so my .htaccess file looked like:

    AuthType CAS
require sfu-user shannah !my-maillist

  6. Modify the the page.php template in my theme (i.e. inside wp-content/themes/mytheme/) to be:

    <?php if (have_posts()) : the_post(); 
$group = get_post_meta(get_the_ID(), 'cas-group', true);
if ( trim($group) ){
    $group = trim($group);
    $existingGroups = @$_SESSION['cas-groups'];
    if ( !$existingGroups or !@$existingGroups[$group] ){
        nocache_headers();
        header('HTTP1.1 302 Moved Temporarily');
        header('Location: ' . get_settings('siteurl') . '/wp-content/groups/'.basename($group).'/index.php?redirect_to='.urlencode($_SERVER['REQUEST_URI']));
        header('Status: 302 Moved Temporarily');
        exit;
    }
}

?>
<?php get_header(); ?>

    <div id="content" class="narrowcolumn">


        <div id="PageTitle"><!-- TemplateBeginEditable name="PageTitle" --><?php the_title();  ?><!-- TemplateEndEditable --></div>
        <div class="post" id="post-<?php the_ID(); ?>">
            <div class="entry">
                <?php the_content('<p class="serif">Read the rest of this page &raquo;</p>'); ?>



            </div>
        </div>

    <?php edit_post_link('Edit this entry.', '<p>', '</p>'); ?>
    </div>


<?php get_footer(); ?>
<?php endif; ?>

The important part of this is the section at the top, as the code the checks the cas-groups custom field and redirects the user, needs to run before any output has been sent to the browser. To do this, I rearranged where the position of the if (has_posts()) statement to wrap the entire page rather than just the content - as it is in the default template.

At this point, if you add a custom field to any page of the wordpress site with name "cas-group" and value "mygroup", then access to that page will be properly limited to users who have access to your groups/mygroup directory based on the rules in its .htaccess file.

If you want to have different groups, you can just make a copy of the mygroup directory and modify the .htaccess file restrictions inside it.

Steve Hannah
  • 11
  • 1
  • This is a clever solution. Would it provide access to all of that group's protected URLs after one login? – supertrue Aug 14 '12 at 14:01
1

Wordpress allows you to protect the pages/posts using password ( and it's rather easyer to go this route than with htaccess ) : go to wp-admin, edit the page/post you like to keep private but allow access to some users too, and right under the "preview changes" button you'll see "Status: Published Edit" and beneth it "Visibility: Public Edit" click the visibility edit, select the Password Protected radiobox ( or private for that matter ) enter a password and hit Ok . You should be good to go .

Poelinca Dorin
  • 9,577
  • 2
  • 39
  • 43
  • I need to do it through .htaccess. There is no way? – Mateus Pinheiro Apr 13 '11 at 19:04
  • why do you need it with .htaccess ? i don't see the point if you can do it like that, the only thing i can think of is multiple users with different passwords, however this can be achived with private blog/posts witch again is way easyer than with htaccess. watch it in action here http://wordpress.tv/2009/01/14/setting-your-posts-or-entire-blog-to-private/ and http://en.support.wordpress.com/posts/post-visibility/ – Poelinca Dorin Apr 13 '11 at 20:14
0

All you need to do is put the .htaccess file in the "members" directory and then point the first line to a password file. To create your password file just do:

htpasswd -c MyPasswordFile username
htpasswd MyPasswordFile anotherusername

Here's a good reference:

http://httpd.apache.org/docs/current/howto/htaccess.html

AdamH
  • 1,378
  • 9
  • 10