I’ve found a quick hack to fix the secure directory issue in wp 2.x. It involves a two step process that solves the issue temporarily..
This has been a nuisance for many a wordpress user, creating mayhem and aggrivation due to wordpress helpfully attempting to turn any valid URI into a permalink. In my opinion, this functionality is very cool. What’s not cool, is the distinct lack of control over what actually should constitute a valid wordpress URI and what is in actual fact a valid secured directory.
Thus, I present a quick-and-dirty process to side-step the aggresive wordpress rules, with a little .htaccess magic.
As we know, the ‘default’ wordpress 2.x .htaccess looks like the following:
# BEGIN WordPress
< IfModule mod_rewrite.c >
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
< / IfModule >
`# END WordPress`
What we’re going to do, is insert three rules to trigger the equivelent of the old fashioned BREAK command many older programing languages used and force wordpress to ignore a specific directory. In this example, we’re going to stop wordpress processing the /stats/ directory as though it forms part of a permalink.
The three lines are thus written:
RewriteCond %{REQUEST_URI} ^/stats/(.*)$ [OR]
`RewriteCond %{REQUEST_URI} ^/failed_auth.html$`
`RewriteRule ^.*$ - [L]`
The secret here, is that we have to “break” the wordpress generated rules while they are being processed, not before, as that won’t acheive anything. Like any ‘loop’ one needs to ‘interupt’ it, not operate outside of it. So, the above three lines are inserted into the default .htaccess file, like so:
# BEGIN WordPress
< IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
`RewriteCond %{REQUEST_URI} ^/stats/(.*)$ [OR]`
RewriteCond %{REQUEST_URI} ^/failed_auth.html$
RewriteRule ^.*$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
< / IfModule>
`# END WordPress`
The logic here basically is:
IF directory match is TRUE do not rewrite ELSE process WP internal rules.
Give it a spin. You can of course, add additional directories by duplicating the line:
`RewriteCond %{REQUEST_URI} ^/some_directory/(.*)$ [OR]`
.. edited to match any directories you may need.
The last step, is to change the permissions on your wordpress .htaccess file, for example:
chmod 755 .htaccess
..to remove the ability for wordpress to update it on the fly. WP will simply spit out any changes need in .htaccess as required and they can either be added manually, or your existing directory exlusion rules backed up and re-added to the re-generated .htaccess file.
This last step is most useful as it returns control of .htaccess, back to the user. I can certainly see a use for a plugin that can ‘inject’ exclusions such as the above into Wordpress and indeed have a few ideas on the boil.
≡ This is a journal entry relating to the topics of No Tags.
Brendan Borlase is a Systems and Network Administrator living in Adelaide, Australia, having lived, worked and breathed Information Technology for over 12 years. Learn more.
Feedback is encouraged. If you would like to read more, consider subscribing to the regularly updated RSS Feed.
-
1
Pingback on
Mar 2nd, 2006 at 8:54 am
[…] I tried a number of fixes suggested on the WordPress forum and other sites, but nothing was successful in telling WordPress to exclude my subdirectory. The suggested solutions are hacks at best, regardless, because it requires one to explicitly exclude, instead of the better practice of implicit inclusion for WordPress’s pages and permalinks. This is a widespread problem that the WP developers should rethink going forward. […]
Feb 24th, 2006 at 8:23 am
Thank you! I was struggling with the mod_rewrite ignore syntax and stumbled across this post. Works perfectly!
Feb 26th, 2006 at 1:13 am
Another way will be to create your error pages.
I got the inspiration from the textpattern forum.
http://forum.textpattern.com/viewtopic.php?pid=91244
But it didnt work with just 401, and 403, so I created 400 & 500 as well and my secure directories were accessible.
Feb 26th, 2006 at 4:23 am
Can you be a little more specific as to what you did? It sounds like you are effectively hijacking 404 style error pages and directing that to a valid ’secured’ directory, which while it might work, is a terribly bad thing to be doing.
It’s breaking an “accepted” result (error page) by redirecting the browser to a valid page, something some browser ‘anti-hijacking’ plugins may not respond to well.
I really want to sort out a proper, clean approach to injecting custom re-write rules into the WP internal engine, something that should be there by default, not hijacking error pages — but thanks for the tip. :)
Feb 26th, 2006 at 1:25 pm
You may want to read this for more details.
http://textpattern.com/faq/173/password-protected-directories-with-htaccess
Feb 26th, 2006 at 5:02 pm
Makes sense, however TXP and Wordpress shouldn’t be handling re-writes internally without some form of administrative control. Having to create error documents, where no error exists, just to outsmart a re-write engine is imho ridiculous.
Mar 1st, 2006 at 10:32 am
I lied; it doesn\’t work for me.
My .htaccess is chmod\’ed to 755, and it contains:
BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/wiki/(.)$ [OR]
RewriteCond %{REQUEST_URI} ^/failed_auth.html$
RewriteRule ^.$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
END WordPress
The protected wiki directory contains a .htaccess file as well:
AuthType Basic
AuthName \"Authentication Required\"
AuthUserFile \"/home/aaltonen/.htpasswds/wiki/passwd\"
require valid-user
If I remove the .htaccess file requiring authentication from the wiki subdir, all is well.
Any thoughts?
Mar 1st, 2006 at 4:03 pm
RewriteCond %{REQUEST_URI} ^/wiki/(.)$ [OR]There’s your issue - it should be:
RewriteCond %{REQUEST_URI} ^/stats/(.*)$ [OR]Note the* to indicate any file. :-)
Mar 1st, 2006 at 4:27 pm
No, the * is there, as in the example in the post\’s body, but gets dropped by your comment sanitizing.
Mar 1st, 2006 at 4:52 pm
Found a workaroud. Changed $use_verbose_rules to true in wp-includes/classes.php. This just makes the WP-generated .htaccess file a bit bigger and complex, but it\’ll only write out the rules it needs, leaving the rest of the site unhindered.
Mar 13th, 2006 at 9:44 am
Cool - I’ve found setting my .htaccess as I want it, then chmod’ing it so wordpress can’t write to it works really well.
The big thing is ensuring the exclusions occur within the WP created rules, or it just won’t process the exclusions.
Apr 13th, 2006 at 7:09 pm
Thanks a lot for this. It worked perfectly for me :)
Apr 28th, 2006 at 10:37 am
Problem solved! Thanks!