WordPress and password-protected directories: How to make them work together

If you have WordPress installed in the root directory of your website, as many people do, then the entire website is subject to the .htaccess rules defined by WordPress, if you’re using a permalink structure that uses mod_rewrite. (Again, most people use this option, as it allows for human-readable URIs instead of ones filled with GET queries) Because the WordPress .htaccess file resides in the site root folder, it allows WordPress to handle all URIs relating to requests from the site – this is good, as it allows WordPress to handle 404s nicely, and you can define 404 pages from within WordPress rather than having to resort to server directives.

However, this can create problems if you want to create password-protected directories. Accessing them sometimes doesn’t work because of WordPress’s .htaccess file, however this isn’t a WordPress problem per se, but rather a problem with how Apache has been set up. I ran into this problem – I tried accessing a password-protected directory that I knew had been set up properly, but I kept getting a 404 error and was redirected to my WordPress theme’s 404 page. After a little bit of searching over at the WordPress support boards, I found some solutions that were sort of messy, involving editing WordPress files or adding a lot to the .htaccess file.

However, after looking for a bit more, I found this page, where the author outlines his fix; but later on a comment posted to his site provided me with the fix I wanted – something simple. Though that site deals with TextPattern, another blogging platform, apparently it handles requests in a similar manner to WordPress.

The problem lies with improperly set (usually non-specified) ErrorDocument directives. In this case, the responsible error codes are 401 (Unauthorized) and 403 (Forbidden). These directives are used to tell Apache what document to send or display to the user when each of these error codes are encountered. If these are set to point to a non-existant file, WordPress ends up handling the request – which in these cases, it treats just like a 404. When you try to access a password-protected resource, Apache first sends a 401 (Unauthorized), as a challenge to provide the proper credentials (login/password); if the error directive for this points to non-existant file, then the request is improperly passed on to WordPress and then treated like a 404 here.

To fix it, you need to specify the error directives in your root .htaccess file, which if you have WordPress in the root, is the same file that WordPress uses. If you open it up, you should find WordPress’ rules in there, which will look something like this

# BEGIN WordPress
<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</ifmodule>
# END WordPress

Add the following lines to the .htaccess file.

ErrorDocument 401 /<PATH_TO_ERROR_DOCS>/401.html
ErrorDocument 403 /<PATH_TO_ERROR_DOCS>/403.html

Where 401.html and 403.html are the pages you want shown when each of those respective errors are encountered. These should be static pages. (eg. not server-side scripts) This fix worked like a charm for me.

6 Comments »

  1. Great fix and a a good explanation. I found some of the other sites, but yours made it a lot clearer for me – just about to test it now. Stu

  2. Thanks for the explanation, but theres another problem if you use mod rewrite to redirect your urls to www:

    Options +FollowSymLinks
    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    ErrorDocument 401 //401.html
    ErrorDocument 403 //403.html
    # END WordPress

    I still end up with page not found.
    Darrin

  3. to Darrin
    i think
    ErrorDocument 401 //401.html
    ErrorDocument 403 //403.html

    two slash(/) is bad.

  4. still not working for me, no double slashes. ?

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /hauteblog/
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /hauteblog/index.php [L]

    ErrorDocument 401 //401.html
    ErrorDocument 403 //403.html

    # END WordPress

  5. wait! I’m sorry, it did work! I simply have to use the direct path from my server in the address bar.

    thank you!

  6. Thanks for the fix!

Comments are now closed for this entry.