AskApache Password Protection, For WordPress

FREE THOUGHT · FREE SOFTWARE · FREE WORLD

AskApache Password Protect adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. plugins as well. Imagine a HUGE brick wall protecting your frail .php scripts from the endless attacks of automated web robots and password-guessing exploit-serving virii. Forget spam, these millions of zombie bots are too outrageous to ignore, they are attempting known (but strangely outdated) exploits looking for known vulnerabilities against blogs and other Internet software. Sooner or later some poor blogger is going to miss an upgrade and become a victim to this type of video-game-like-attack.

Of course this would never be able to stop real hacker intent on taking over your blog, if you are connected to the net on a public line, of course you coun’t stop them. The people who are attacking the blogosphere are for the most part just playing. They “hack” code that “exploits” a “vulnerabiliity” in some open-source software like phpBB or WordPress. Those people actually help the community of open source software like WordPress by finding security issues and bringing them to light.. So who is this plugin built to stop? It’s built to stop the people who are trying all the time to maliciously crack into YOUR average blog. Why would someone want to hack an AVERAGE blog like mine or yours? Well the answer is that its not an actual group, entity, or person who is going to try hacking into your blog. Its an army of robots.. and they will never stop the attack.

So how do these robots attack us? What is their ammo? Their ammo is very specific knowledge of exploiting security holes in very specific software to “crack” your blog. Vulnerabilities are discovered all the time, mostly small ones, but those vulnerabiilties that are dangerous to those of us running WordPress 2.5 are LETHAL to those of us running 2.1.. just absolutely deadly. So These robots are programmed to do one thing and one thing only, try the exact same exploit that would work against 2.3 against every computer on the internet, as fast as they can and as anonymously as they can.. terrorizing the networks with these non-stop requests and slowing down the whole internet, which hopefully will start getting faster as more people use this plugin. Robots have no choice but to leave my servers alone. They understand what a 403 Forbidden means, to them it means take me off your list, the exploit I’m carrying is not compatible. But once again, this will not stop a hacker, this will stop 99.9% of the same bots that “hacked” 99.9% of the blogs.

Description

This Plugin will make alot of the bots out there stop coming back, and I have found this exact type of security setup to be a great insurance policy against these types of brainless zombie bots. A few years ago I had implemented this password protection on a forum I was the security admin for, and it didn’t seem like a big improvement to very many people. The forum software we were running was phpbb, and during that Christmas break we weren’t even thinking about the forums. When we got back though the whole place was in an uproar. Some kid sent out a million of these zombie robots with a single payload- an exploit that he knew would successfully penetrate the forum’s defenses. It did.

It was like a tidal wave across the world, thats how many of these phpBB forums were hit. Thankfully all the kid did was copy the entire forum into a kind of book format, and sell it on ebay. Anyway so we looked at the logs for our server and forum, and we saw he had tried the exact same thing against us… and he did have our forum software defenses beat… You see he had his target all scoped out and meticulously researched, a nice fat range of forums needing an upgrade.. As long as they could get to the inner door (admin login) they could knock it down in seconds and own the whole thing.

Everything about the attack on our server was incredibly smooth and fast, hacked past the user login and then flew straight towards the admininstrator login… then, out of nowhere they got b**slapped because they ran full-speed into a wall that seemingly came out of nowhere, and thats exactly the same thing that you will have after installing this plugin. Its like being surrounded by a smal army, a sniper can still get you, but you can forget about the ground troops (zombies ech)

If you are worried about your WordPress blog getting hacked, this can help immensely. It adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder.

The plugin is simple, you just choose a username and password and you are done. It writes the .htaccess file, without messing it up. It also encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both.

This plugin automatically picks all the right settings for where to save the .htpasswd and .htaccess files, but you can easily change those settings to anything you want. You can change it whenever you want right from your WordPress Admin Panel.

Screenshots

Downloads

Download the AskApache Password Protection Plugin

Installation

Upload aa-password-protect.zip to the /wp-content/plugins/ directory
Unzip
Activate
Setup

Frequently Asked Questions

Do I have to type in my username and password every admin page?

No. You just have to type it in once and it will keep you logged in until you close your browser.

How Secure Is It

In Basic HTTP Authentication, the password is passed over the network not encrypted but not as plain text — it is “uuencoded.” Anyone watching packet traffic on the network will not see the password in the clear, but the password will be easily decoded by anyone who happens to catch the right network packet.

WordPress Codex Security Articles

Limiting access: Making smart choices that effectively lower the possible entry points available to a malicious person.

Containment: If a weak point in your installation is found by a malicious person, your system should be configured to minimize the amount of damage that can be done once inside your system.

Knowledge: Keeping backups, knowing the state of your WordPress installation at regular time intervals, documenting your modifications all help you understand your WordPress installation.

« PHP Sessions/Cookies On The Fly
Fresh .htaccess Examples: Cookies, Variables, Custom Headers »

My Picks

Support Freedom or Die

Newest Posts

The love of liberty is the love of others; the love of power is the love of ourselves.
-- William Hazlitt

htaccess Guide

The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee

Leave your own comment

Reader Comments

‘How To Guide’ for securing WordPress and protecting websites. | MileHighTechGuy > Productivity Tools & Technology ~
[...] AskApache Password Protect (rated 6 out of 10): I was unable to use AskApache Password Protect since based on self-tests that this plugin runs my particular web host configuration was shown to not support it, but if you are able to make it work then I advise you give it a try. [...]
JON ~
Hello!

I can not go to the admin panel

amusgame ~

problem 1

Warning: array_merge() [function.array-merge]: Argument #1 is not an array in /home/public_html/wp-content/plugins/askapache-password-protect/askapache-password-protect.php  on line 1316

problem 2

Warning: md5_file(/home/public_html/wp-content/askapache/.htaccess) [function.md5-file]: failed to open stream: No such file or directory in /home/public_html/wp-content/plugins/askapache-password-protect/askapache-password-protect.php  on line 1715

problem 3’4’5’6

Warning: gzcompress() expects parameter 1 to be string, object given in /home/public_html/wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1717

Warning: base64_decode() expects parameter 1 to be string, object given in /home/public_html/wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1720

Warning: gzuncompress() [function.gzuncompress]: data error in /home/public_html/wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1720

Warning: md5_file(/home/public_html/wp-content/askapache/.htaccess-decompress) [function.md5-file]: failed to open stream: No such file or directory in /home/public_html/wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1723

help my

Edp ~
Seriously. There needs to be a FAQ on how to completely undo everything this plugin does. I have two wordpress sites and only installed it on one. Now I can’t get into the admin area of either and I deleted the .htaccess and aapasswd files, deleted the plugins, edited the db and still can’t get into either site now.

Really. Need. A. Writeup.
gopalb123 ~
Hi,Maan jony ~

I have also “500 internal server error” after activate askapache plugin and try to rectify but I could not do that. I’m follow your instruction….
*************************************************************************************
to remove it is very easy and after you log on your admin and uninstall this plugin.
first log on your ftp and in wp-admin .
************************************************************************************
I could not find .htaccess file in my server…..please help me.
Regards
gopalb123
The Ultimate Wordpress Security Guide « qeqnes | Designing. jQuery, Ajax, PHP, MySQL and Templates ~
[...] The easiest way to setup password protection is through the WordPress htaccess Password Protect Plugin. [...]
Steve ~
Take a look at www.pixelock.com for a truly effective password site, I found it last year and works great for me.

Cheers
Steve
Saerin ~
Hi! Okay, I admit I’m clueless about anything related to setting up a page. I searched for a password plugin and downloaded yours. I clicked around and must have done something dramatically wrong because now, I can’t access my website at all. Whatever I click or type in, I get the following message to contact the webmaster but I am the webmaster! So what do I do? How can I fix it? I’d really appreciate your help. Please email me.

Thank you so much!

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@saerinandbrian.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Maan jony ~

I have also 500 internal server error .
to remove it is very easy and after you log on your admin and uninstall this plugin.
first log on your ftp and in wp-admin .
.htaccess open in editor and remove the coding of this plugins which is following such like that

# +ASKAPACHE PASSPRO 4.6.5.2
#######################################################
#               __                          __
#   ____ ______/ /______ _____  ____ ______/ /_  ___
#  / __ `/ ___/ //_/ __ `/ __ \/ __ `/ ___/ __ \/ _ \ 
# / /_/ (__  ) ,< / /_/ / /_/ / /_/ / /__/ / / /  __/
# \__,_/____/_/|_|\__,_/ .___/\__,_/\___/_/ /_/\___/
#                     /_/
# - - - - - - - - - - - - - - - - - - - - - - - - - - -
# +APRO SIDS
# +SID 20030001

Satisfy Any
AuthType Digest
AuthName "Protected By AskApache"
AuthDigestDomain / http://www.asportsnews.com/
AuthDigestFile /home/studysol/public_html/.htpasswda3
Require valid-user

# -SID 20030001
# -APRO SIDS
# - - - - - - - - - - - - - - - - - - - - - - - - - - -
#               __                          __
#   ____ ______/ /______ _____  ____ ______/ /_  ___
#  / __ `/ ___/ //_/ __ `/ __ \/ __ `/ ___/ __ \/ _ \ 
# / /_/ (__  ) ,< / /_/ / /_/ / /_/ / /__/ / / /  __/
# \__,_/____/_/|_|\__,_/ .___/\__,_/\___/_/ /_/\___/
#                     /_/
#######################################################
# -ASKAPACHE PASSPRO 4.6.5.2


# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Clear your cache and browsing history cookies also.
delete the .htpasswd3 and plugins from plugins folder it depend on you and thats it .you remove it easily .
if there is any other PM me .
thanks good plugins but require a lot of work on it .

Önder ÖZCAN ~
I just installed this plugin and my wp-admin occurs 403 forbidden error. Can anyone tell me how to i remove this crappy pluging without accessing admin panel ?
Gautam ~
Hello,

I have am gettng one url like http://www.example.com/de/test.html i want to remove http://www.example.com/test.html

Can anyone say what to do in .htaccess file

Thanks,
Ronald ~
I’ve WordPress installed in a subdir. (/web) and your plugin fails to find the .htaccess-file’s (/web/.htaccess).
How can I correct this?
Gabstero ~
Hi All –

Tried to install the plugin (via the plugin install from the dashboard) on a WP 2.8.5. The plugin does not add the .htaccess files – had to add them manually and also for some mysterious reason I am getting these php errors on the AA Pass Pro settings page:

Warning: array_merge() [function.array-merge]: Argument #1 is not an array in wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1316
Warning: join() [function.join]: Invalid arguments passed in wp-content/plugins/askapache-password-protect/askapache-password-protect.php on line 1319

All the squares are green except the “Test folder writable” that is red.

Any help very useful!

Thanks
Daniel Pipitone ~
OK, I am having an issue. I just installed this running the latest version of WP (2.8.5) and activated the first two authentication options for the login area. Now I cannot get to the login and get a “nothing found at…”

Anyone help?

http://danielpipitonedesign.com/wp-admin/
Patrick ~
I also ran into the problem where I was locked out of my wp-admin site. Other than that this plug-in seems very useful. I was able to fix the wp-admin login issue by deleting/renaming the .htaccess file in the wp-admin directory. The author appears to be working on an update. Hopefully this will fix that.
Patrick ~
I got this to install. It seemed to require that the .htaccess and .htpasswd files currently exist in the protected folder(s); wp-admin (I think).

After initial configuration I ran into another problem with the following SID modules: SPECIFIC CHARACTERS and Directory Traversal. They broke my site.

Would be nice if the Manage Security Module GUI listed which SID items in the .htaccess were related to what SID Module. That way when I my site breaks and i have to manually edit the .htaccess it is a little bit easier to know what lines to remove.
Patrick ~
How exactly am i supposed to configure my file/folder permissions in order to get this plugin to initialize correctly? I keep getting the following file permissions error; “/wp-admin/.htaccess file writable”. The installation instructions are a bit lite.
Cauchy ~
I tried installing the version available from the WordPress.org site today. It ran the tests and said everything was fine. I enabled protection for wp-admin and now I cannot access my wp-admin area at all. There was nothing in the .htaccess file and I removed the the .htaccess file in wp-admin after removing the plugin via FTP. Is there anyway I can regain access? I also did not see a .htpasswd file anywhere in my directories. Thanks.
manasi ~
Hey guys need some help here. I noticed several things after I upgraded to 2.8.2. first thing I noticed is that for some reason I could access my wp-admin page without getting a login page. Suspecting something amiss I clear cache rebooted and tried again I could still access the site Not good and not normal. So, I enabled the two options within AAPP that I had not before: protect wp-admin and protect wp-login. However, now even I cannot get into my admin page. There was no prompt to create a user, and when I try to get in I get 401 ( forbidden) which is the action it is supposed to do. how do I disable (temporarily) the security that blocks even me?
Raghu ~
Great plugin for sure…

Thanks.
Perfu ~
Useful plugin thank you.
Norhafidz ~
Thanks for this plugin. Now I can rest a lot without worrying about my blog’s security :)
Steven ~
I activated this one:

Denies Requests containing ../ or ./. which is a directory traversal exploit attempt..

And now I am locked out of my website (so is everyone else)! How do I fix this?
Riz ~
damn, u removed the music player :P
u knw i bookmarked this site just to listen to one song u had in there…. now i can’t anymore :’(
Tracey ~
Great plugin. Does it work with WordPress 2.71?

Thanks
Martin Marinov ~
Very nice plugin but I have one problem with it. I turned on one function for admin panel and now I can`t log into it. It shows me 500 Internet Server Error. What I should do?
Mike ~
Hi there, what a great plugin. One problem. I set it up as per instructions. When i went to activate the various areas, it gave me a 404 page each time bar the initial activate htaccess. Now I cant access any section of my site admin at all even when i input my passwords. I deleted the plugin and htaccess files but still have no access. What can I do??
Michael ~
Hello,
After copying of the last AA PassPro Version to my plugin Directory (wp262) and the plugin activation, I got the message that there is a new version of the plugin.
Unfortunately the online update was not successful!
When I try to access my plugin admin page now I get this message:
Error 500 – Internal server error
Ein interner Fehler ist aufgetreten! Bitte versuchen Sie es zu einem späteren Zeitpunkt.
What can I do?
Deleting of the AA PassPro has no effect, the same if I copy the directory a second time to the webserver.
What can I do? Any Idea?
Thanks, Michael
Alexpts ~
How protect file wp-login.php People keep trying to hack my wp-login.php?
Emerson ~
To the plugin developer:
Thanks for this, great plugin however when I have install this plugin using Godaddy Economy/Free hosting account. I cannot login in wp-admin panel even though I got the correct access info.
Is this something to do with the Godaddy free hosting account? I know that with this type of hosting, I cannot make a folder above the root/ public html folder, so this means that when Apache password protect plugin create an .htpasswd which should be placed not in a public html folder, it cannot do so because of Godaddy free hosting account restriction.
Is this the correct cause why I cannot login? Many thanks.

Merzz
kabonfootprint ~
Awesome plugin
Alex ~
Hello,

First of all, thank you for this plugin. My question is: are you planning to release a new version in the near feature with any major fixes and or improvements? Is it compatible with WP 2.6?

Thanks,
Alex
AskApache ~
@ Will O’Hageman

Thats normal, most servers will fail for the plain encryption test, as its really not encrypted at all and is only there for servers not supporting basic htaccess authentication.

I’ll improve the documentation *like your blog suggests plugin authors do* for the next release :)
Will O’Hageman ~
Just activated askapache password protect, and on the first page everything passes but Plain Encryption capability, which failed. What should I do?
Asatru ~
I fixed the 500 Server Error on my WP 2.5.1 Blog.

Delete following Code in the generated htaccess file:

SecFilterEngine Off
Nicole ~
Just installed the plugin on my latest version newly reinstalled (after being hacked) blog and when trying to access it for the first time it starts with failed: the root directory, wp-admin and wp-content need to be writable by php. So I go and change permissions from 755 to 766 and refresh the page, but then it gives me “forbidden”. Change everything back to 755 and I’m back to the one telling me to make them writable.
There is no .htaccess file to be found anywhere (and show hidden files is turned on in filezilla). How do I fix this?
Tom Johnson ~
I didn’t realize there was a new .htaccess file inside the wp-admin folder. When I removed that, I could then log back in and deactivate and then delete the plugin. I had been playing around with the wrong .htaccess files.
Tom Johnson ~
Just added a cautionary note to the promotion of this plugin on the Hardening WordPress codex page. My caution is as follows:

Caution: Installing the AskApache Password Protection plugin may lock you out of your WordPress Admin panel and return an error 500 when you attempt to go to yourdomain.com/wp-admin. You might try installing the plugin on a test site first, as your server or other configurations may cause issues. Uninstalling the plugin is also difficult (simply deleting it through FTP doesn’t deactivate it). See the comments under the author’s plugin home page to read other users’ experiences with this plugin.

I wouldn’t have written this caution if I weren’t frustrated at being totally locked out of my site with no clear instructions on how to remove this plugin’s work.
Tom Johnson ~
I appreciate your work on this plugin, but it’s not working for me and at this point, I’d just like to uninstall it. I can’t access my admin panel at all now. When I go to my login page, it shows an error.

I tried downloading both my .htaccess files — both at the site and root levels — but they aren’t modified at all. I thought there’d be some Ask Apache Plugin code rules to delete, but there aren’t.

I tried deleting the plugin itself. Both of these attempts don’t uninstall the plugin, and I’m totally locked out of my WordPress admin panel. I’d really appreciate your help. How do I uninstall this plugin manually? Thanks,

Tom
Mark ~
Needs more info on what to do when the install f#*ks up your blog.

I installed it correctly , then I couldn’t get back into my blog. Kept getting a internal server error.

SO I deleted the htaccess file and deactivated the plugin.

It’s a shame, this could have been a useful plugin.
soyuz ~
hi, i just download your plugin and try to install it into my WP 2.5.1. but no luck.

at first, it said that my wordpress folder, wp-admin folder, wp-content folder need to be writable. but all the three folders are 755. andd it said we shouldn’t chmod 777 to our folders, but after i changed to 777 then i passed the Test for read/write permissions.

but i have this error:
Error Creating test pages for HTTP Authentication Enabled Test files!

my webhost is apache and support htaccess.

if you have the solutions that would be great.

thanks in advance.
AskApache ~
@ Stuart

Awesome! This is definately a challenge for me because its using the HTTP protocol via fsockopen to test the capabilities of the Server for which modules will work. One mistake and a whole blog or plugin goes down. Newbies won’t know how powerful this stuff is, nobody does. Once it gets more stable I’ll explain in more detail what is going on.

For you newer users to Apache Modules and WordPress, just know that this plugin gives you incredibly easy access to take down your entire site. The reason is because this plugin modifies the Server Configuration File of the Computer running your WP Blog.

The great news is that this plugin really only modifies 2 files on your entire site.
/.htaccess and /wp-admin/.htaccess which makes it very simple quick and easy to start-over just by removing the code this plugin adds to those 2 files.

Anyway Stuart thanks for that feedback I’m fixing them right now for 4.2.3
Stuart ~
Hi, just a note to people actually using this with WP 2.5+, with regards to which modules to leave off:

“Directory Protection Module” flat-out disables the /wp-admin/ address, which you need to login to your admin. I can’t see how you would be able login to your own admin with this on (wp-login.php actually forwards to /wp-admin/).

“Protect wp-content” breaks many plugins, especially AJAX-enabling plugins, which request php files from their own directories.

“Common Exploits” denies access from the post editor to the media uploader. Which is to say, when you click “Add Image” you get 301 Forbidden.

All other modules are OK to enable.

To sum up, this is a fantastic plugin and a no-exceptions required install un any website I build, but I really have to scratch my head at the inclusion of some of these modules, especially as a newbie to WP will naturally assume enabling all modules is the best way to go.
Alex Rodriguez ~
I am using the latest version that was just released and when I click on AA PassPro under settings I get stuck on…

“Test for .htaccess capabilitybad fsockopen”

Any suggestions? I had been using previous versions successfully.

Alex
Brad Isaac ~
Hi,

I am experimenting with your plugin today too. When I activate, the main .htaccess file is edited, but nothing is installed in wp-admin folder.

Also, when I go to the options screen, nothing appears under the AA PassPro tab.

Looks like it would be effective at holding off those xmlrpc hacks.

Thanks!
Roy ~
Just a short update in case other people are struggling as well.
There is no htaccess in the wp-admin folder and sometimes (I haven’t figured out when yet) there is no longer an Ask Apache part in the htaccess in the root AND I can’t delete the password file in the root. What I managed to do it the following:
If I clear the password file (delete the content) and delete the Ask Apache part from the htaccess in the root AFTER I deactivated and deleted the plugin, I can upload version 3.5.1, activate it and get it to work. That’s the only version that I get running as of now, but at least, it’s better than nothing! All other versions leave me with a password that is not accepted or doing nothing at all (not even a login screen).
AskApache ~
@ Roy and anyone else having problems

Sounds like my fault :(

I apologize for the trouble you are having, I’m still working on.. and making a lot of progress that will pay off in terms of security.

It sounds like you need to disable the plugin, then manually (using ftp, control panel, ssh) delete the /wp-admin/.htaccess file and you could also remove any .htpasswd or .aahtpasswd files.

Then clear your browsers cache, make sure you are the latest version, and if it still doesn’t work then try to email me the error messages produced by php and your apache server, and if its ever worked in the past it will definately work with the next upgrade. In the meantime you can always go download an older release that has worked for you in the past, and use that for now. You just can’t beat this plugins protection, and that is a fact jack.

Sorry again for these issues,

-AskApache
Roy ~
I have used this plugin for almost a year. I noticed that it doesn’t work sincd I downloaded the latest version (or since I installed Bad Behavior?) and now I also get the “htaccess support not found” error…
Gustavo Leig ~
I installed the plugin, Im getting the message “htaccess support not found”, my server support htaccess, what is happening?

please help and thanks for your work.

Gus
David ~
After getting hacked I thought this plugin was the answer to my prayers, but after installing it I was unable to login with the username/password I set up. After reading the comments here I tried what you suggested in commment #12, removing the bit added by the plugin to my htaccess file. Now I get 404 errors when I try to log in to wp-admin! Looks like other folks have had this problem but I’ve tried everything suggested here and nothing has worked! I’m unable to login. Does anyone have any suggestions? Is there any way to completely deactivate the plugin and undo all the changes it’s made without logging in? Any help is appreciated.
Calderón ~
Is the version 3.6.6 compatible with WordPress 2.5.1? When I have actived the plugin, in options panel control this appears:

“htaccess support not found”
Alex ~
Many thanks for this. Have installed it, and will sleep better as a result!! Especially when on holiday!

Cheers,

Alex
fenris ~
thanks for the comment .. nice plugin .. hope other will enjoy using it too!!
edelwater ~
I noticed that I could not post via Windows LiveWriter anymore AND that my “inline tag thing” plugin wouldnt let me change tags via ajax. So I switched it off again, or is there some kind of workaround?
Karimun ~
Somebody asked this question already but I think it was not answered:

the root file wp-login.php can be reached without any restrictions. Wouldn´t it be helpful to protect it too?
Rob Chapman ~
BTW- I’m running WP.org 2.3.2. on a hosted server.

To clarify just a bit, when I attempt to log in to WP, I’m taken to my blog, but instead of getting the admin page, the sidebars display, but the following message pops up on top-

“Sorry. The page you are looking for is not here.”

I’m actually logged into my blog ( I believe, as the META options displays a “Logout” button), but the admin, or edit functions won’t display, only the “sorry your page is not here”.

I deleted the plugin altogether in My Computer, but still exactly the same issue.

I’m a total loser with no life or contact with the outside world except the contact I have thru my crappy blog.

Please help. I’m desperate. I may not survive much longer.

Thank you-
AskApache ~
@ Havard

Really enjoyed your tutorial, reposted to your site.

HTTP Basic authentication, which itself is not a security measure, and relies on a secure connection, such as TLS, to achieve secure authentication

Yes that is the most common argument against it, though its really a non-issue for 99% of sites. For an attacker to bypass the HTTP authentication on a non-encrypted connection, they would literally have to have a physical connection to a network path between an authenticated user and the server. The only issue is that the password and username are passed in cleartext, but you would have to be able to sniff the data off the wire to bypass it. As you can imagine, most of the automated exploit tools and bots performing mass exploits against WordPress blogs and other online software do not have this capability, so they are stopped dead. For sites that I admin that require a bit more security, I completely agree with you that SSL is mandatory, which encryts the connection and thereby prevents an attacker with physical access who can sniff your connection from seeing the password pass in plaintext. That can be a very secure setup.

Your logic and solutions to this problem are completely accurate and insightful, as you say here:

If it is for a file or a directory, then Apache handles it (it falls through all the rewriting rules). This means that Apache will serve any file or directory as long as it can be read, which of course includes the WordPress installation files…. The desired situation is that people should only be able to read this files through “indirect” requests from your website, and not by accessing them directly.

The problem is accomplishing that by using the HTTP_REFERER header is simply impossible and ineffective. And of course the biggest problem for most blog admins would be the overwhelmingly negative effects on SEO.

Apache’s mod_rewrite module only has 1 variable that can achieve your solution effectively, which is what the AskApache Password Protect plugin utilizes. Basically, the special variable THE_REQUEST contains the FULL HTTP request sent by the client, in fact, the internall operation of the server rely almost exclusively on this variable to determine the values of other variables, like the QUERY_STRING, PROTOCOL, REQUEST_METHOD, etc.. THE_REQUEST looks like this.
```
GET /wordpress/wp-content/plugins/ HTTP/1.1
```
The reason this plugin is so special is because this is the only time the request is unfiltered. Basically ONLY external requests like clicking on a link or typing a link in a browser will cause this value. Other than using the REDIRECT_STATUS variable for those using cgi, this is the only way to determine whether a request is direct or indirect.

To take it further, I’ve removed directory index generation and using the DirectoryIndex command to point to a static file we can make sure that directories can’t be browsed. I’ve also used the NS or nosubrequest flag to make sure internal uri requests by apache and other modules are able to pass through. I would encourage you to try accessing files at askapache.com if you would like a demonstration.
```
Options -Indexes
DirectoryIndex /wordpress/index.php

ErrorDocument 403 /forbidden.html

RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wordpress/wp-(includes|admin|content)/?.* [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$ [NC]
RewriteRule .* - [F, NS]
```
I just noticed you wrote this a couple years ago, which is before I heard of this technique. This is just to add to your excellent article, as its a great idea and one of the better and easier ways to really increase your security. Subscribed!
Matt ~
Thank you for the extensive and helpful answer. I’ll be switching over to the AskApache Password Protect. I hadn’t realized that it also provided protection for the wp-includes and wp-content folders as well as the wp-admin folder. I also hadn’t realized how easy it is to spoof headers and that the scrapers and bots are doing that automatically. Thanks again, I appreciate it.
AskApache ~
@ Marcus

Thanks! fixed.

@ Matt

Whoa.. this is actually not a good thing to do. I am assuming that your blog is at site.com/wordpress/ not site.com/
1. This will 301 (permanently) redirect everyone who attempts to visit ANY page or post on your blog to site.com
  1. Anyone who clicks on a link to your blog from a google search result or any search engine result will be redirected to your site.com
  2. This will totally remove all posts and pages on your blog from ANY search engine index because the search engine robots crawl your site using blank referrers.
  3. This will block your Google Adsense from working because the Adsense robot uses a blank referrer.
2. Anyone who would be attempting to hack your blog would be smart enough to instantly recognize that a referrer is needed and that is very easy to spoof. Most automated web scrapers and bots automatically spoof the referrer header so this doesn’t even block those.
Another issue with this is that your code can be improved to:
```
RewriteEngine On
RewriteBase /

RewriteCond %{HTTP_REFERER} !^http(s?)://([^\.]*)(\.?)example\.com.* [NC]
RewriteRule ^/?wordpress/?(.*) http%1://%2%3example.com/ [NC,L,R=302]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wordpress/index.php [NC,L]
```
One other issue I wondered about is what “installation files” you are talking about. The installation files are located in the wp-admin directory, so if you are going to use this method you should only be protecting the wp-admin directory.

The AskApache Password Protect plugin approaches security through .htaccess in a very different way.
1. The wp-admin directory is protected with http basic authentication password protection
2. The wp-includes and wp-content folders are protected by disallowing any direct requests for files other than the static files like images, css, js, etc.
Here’s the .htaccess used by the AskApache Password Protection plugin:
```
RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-(includes|content)/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .* - [F]
```
I think I might just not be understanding this technique.. it seems to be completely worthless other than an acedemic discussion.
jason ~
obscurity does not beat strong authentication from a security point of view. this is not to suggest that obscurity does not provide a value, simply that I’d rather put my stock behind a strong password and an effective password protection system, than attempting to hide my files. The Word-Press site itself makes mention of this : Hardening WordPress

jason
Matt ~
Last time I tried AskApache PassPro I was not able to make it work with another scheme that I already had set up called, “Hiding WordPress Installation Files”

My question is this, Do you think the AskApache protection is more important that the protection provided by hiding the WordPress installatin files? Thanks.
Roy ~
I just noticed that a direct request for
/wp-login.php?loggedout=true
doesn’t get blocked. The same goes for
/wp-login.php?redirect_to=%2Fwp-admin%2F

Those paths are the same for all WP installations. Of course a hacker wouldn’t be able to work if (s)he found out how to login, but I still wonder if it is smart to leave these pages open for someone to just try. Can’t the wp-login.php not just be behind the password too?
Russell W ~
This is a solid piece of work, but I’m actually looking for something a little *less* stringent. Is there anyway to manipulate this plugin so that it will password protect a specific public post? WordPress 2.3+ had post-level passwords but they stunk. And 2.5 appears to have done away with the option completely!
Stephen Cronin ~
For those with the 404 problems, I found an article which seems to discuss it in depth at:
WordPress admin password protection 404.

The article’s not related directly to this plugin, but it’s the same problem. I haven’t tried any of the suggestions yet myself, but will do so sometime in the next week or two. I thought I’d post the link in case anyone is wants to try it quicker!

AskApache – you may want to have a look at this too, out of interest… Not sure if there’s anything your plugin can do to get around this, but you never know.
ed ~
Thanks Boss
Installed fine but one problem:
When a user registers and clicks on the URL that is included in the email he is prompted with the WordPress login; when they login they are automatically redirected to the url wp-admin/profile.php which is of course protected.
Can I change this behaviour?

Ed
Scot ~
I too am having the 404 problem after activating the plugin and setting up a user. I’m sure it’s a host issue and this occurs when I password protect the wp-admin directory using their control panel as well. However, any suggestions on why adding .htaccess password protection to the wp-admin folder would throw a 404 error? Other instructions contained within the .htaccess file in wp-admin do not cause the 404, seemingly only the password protection does.
Stephen Cronin ~
Zack,

That was my comment you referenced – and no there’s been no solution yet. AskApache feel free to correct me if I’m wrong!

However, I’m pretty sure it’s something to do with my web host. I get the same problem if I turn on Password Protect Directories through CPanel. That’s doing the same thing as the plugin, but the plugin is not involved – indicating that it’s something to do with the server.

I reported it to my host, but they want me to activate the protection and leave it in their hands to investigate further. That involves locking myself out of the Admin area until their finished and I haven’t found a good time to do this!
Alessandro Ferraresso ~
I had to fix the code to prevent the file_put_contents() error.
Now the options page is displayed correctly, but I get the following message: “Error Creating test pages for HTTP Authentication Enabled Test!”

Does it have to do with my .htaccess file permissions? Please drop me a line if you know the answer!

Great job anyway, hope I’ll get it to work soon!
Greetings from Italy!
Dan ~
Am I understanding this correctly?

People think they are securing their site by making folders 777 permission? I hope everyone who has done that knows that 777 permissions will make your installation very insecure.
Dan ~
I get (rather arrogantly) told…

Error Creating /home/builder/.htpasswdaa1

FATAL ERROR! response code: 404
My thorough testing shows your server isnt good enough to to handle .htaccess / .htpasswd files. Switch to Apache

But that simply is not true, I am on an apache server, (a very good one) but all the normal port settings have been changed to make the server more secure. Could this be the problem?
jez ~
problem sorted out, the httpdocs (root) had also to be 777, as well as the wp-admin, seems like I missed one folder either way when fiddling around.

nice plugin, I appreciate it, keep up the good work sir!
jez ~
well, the 2.x version worked fine, now with the 3.x version I get
Error Creating

FATAL ERROR! response code: 404
My thorough testing shows your server isnt good enough to to handle .htaccess / .htpasswd files. Switch to Apache

- tried the chmodding to 777 and forth and back, manually creating the files and deleting again. I really liked the additional security this plugin offers, not sure why this is freaking out now.

maybe apache can help?
AskApache ~
@ Assem

I can’t explain that one.. wp_localize_script has been defined since version 2.2! I checked!

I did make a fix for it though, so redownload the new version.

Also- Keep reporting any and all bugs!
Aseem N ~
I am getting this error on going to the options page after installing the wordpres plugin.

WordPress is just freshly upgraded.

Call to undefined function: wp_localize_script()
deshoda ~
Hello i installed this plugin and i was totally locked out of my admin.

It didnt even prompt me for the password i had entered.

So i had to delete the two htaccess files and now im getting the error:
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@deshoda.islandspoogy.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the reques

any ideas as to how to undo the work of this plugin
jason ~
In case anyone else has the following issues.

First: I’m using developerside.net’s implementation of Apache/MySQL/PHP for Windows, WordPress 2.3.3, and AAPP 2.0.

By default the plugin does not work with my implementation. When I activate the plugin and set it up I am unable to log in…instead I’m given a 500 page. When I’m finally able to get the authentication window it fails to authenticate me even if my username and password are correct.

To fix the first problem I remove the AuthGroupFile line all together
To fix the second problem I simply recreate my users password by opening a command prompt or shell in the same directory as the .aahtpasswd file (which should be out of the web root btw) and then running ‘htpasswd .aahtpasswd use_your_username_here’.

I haven’t debugged the reason why the password is wrong, however resetting it manually works just dandy. Thanx for the great plugin!
Matt ~
Thanks for the great plugin. It seems to be working fine now. I finally got it installed after trying a bunch of stuff. The key to getting it to write the .aahtpasswd and .htaccess files was changing permissions on root, wordpress and wp-admin folders to 777 for the install and then back to 755 afterwards.
jakub gawkowski ~
Nice tool, but by default unsecure. Default .aahtpasswd is readable by apache.

Simples workarounds:
1. change .aahtpasswd to .htaapasswd in configuration and plugin source (.ht must be first)
2. update apache configuration follow below
```
Order allow,deny
Deny from all
```
Violet ~
I love your produce but the music on your site is…… somewhat distracting….. especially since a visitor has to shut it off each time they visit a page….

This makes it a little difficult to absorb the width and depth of your obvious brilliance.

I hope this sounded “diplomatic”.
Dave J. (Scoop0901) ~
Nevermind. Sometimes the simplest idea is never pursued. Yes, I just found clicking the “DISABLE PROTECTION” button brings you back to the scren to reset the passphrase and username.

Argh. Let me go drive my head in the sand. Who looks for simple? :D
Dave J. (Scoop0901) ~
Great plugin! Thanks for creating it. I like the idea of that second layer of protection being there.

Now I have one question, as hopefully there’s an easier way: How does the admin easily change the passphrase?

My solution was to delete the files from the server, delete (actually, rename) the plugin, play in the MySQL database for a bit, re-add the plugin (change the name back to the original name), and re-activate it, which then allowed me to change the password. Surely there’s a simpler way.

Again, thanks for creating this. It’s a great extra step.
Stephen Cronin ~
Okay, great idea – but it’s not working for me. I don’t get the “Authentication Required” window, it just throws a 404. This is occurring in FireFox 2.0.0.9, IE7 and Opera 9.23 on XP SP2.

I’ve verified that the two files exist (.aahtpasswd and wp-admin/.htaccess) and that they have the correct content (as per the options screen).
Okay, the solution to the 404 problem I mentioned in my previous comment works for me. The article had
```
ErrorDocument 401 /myerror.html
ErrorDocument 403 /myerror.html
```
to your .htaccess file and create a static file called myerror.html.
If you don’t want it in your public_hmtl folder, then you can put it in a folder and add the folder’s name to the two lines, ie:
```
ErrorDocument 401 /[foldername]/myerror.html 
ErrorDocument 403 /[foldername]/myerror.html
```
This seems to fix the problem, at least for me, but I’m not sure what impact it may have on other things (ie by having 401 and 403 go to the new file rather than WordPress handling it).
Aron ~
How do you undo this plugin? I forgot the username and password I setup. I deleted the plugin folder and all the htaccess htpasswd files and it still askes to login before getting to wordpress’s admin screen. please help i locked myself from wp.
lubos ~
hi,
really nice plugin. i am not sure whether you know it, but in the standard setup (e.g., .aahtpasswd in the root of your web blog), wp-scanner complains about exposed dangerous files (.aahtpasswd world readable). it’s probably the best solution to put it somewhere else, where it’s not readable by the browser, but where it’s still accessible by the server (as suggested also in #23), e.g., to the home directory
Chaz ~
Bug? The plugin itself doesn’t like it when tell AskApache that you want the password outside of the htdocs folder (example /Library/WebServer/ ranther than /Library/WebServer/public_html/blog/ ) If you have the .aahtpsswd outside of the htdocs it can’t be accessed by a web surfer, but it CAN be access by the web SERVER. Just make sure your giving it an absolute path int the .htaccess file.

Hope thhat helps. I also had to CHMOD 777 to freakin everything. Even after following examples in your ultimate guide and from BlogSecurity. WordPress, it’s themes and plugins just didn’t like any access limitations. hmmmm, let me make sure the ownership is correct since I didn’t not "upload" the files, just copied them locally.

Maybe you should include a small segment on file ownership, eh?

Thanks,
Chaz
AskApache ~
Also read the great, fantastic PDF from blogsecurity, Securing WordPress Blogs
Maaike ~
Is it possible to protect another folder then the admin folder? I want myphotos folder proteced with a password. The ‘normal’ page protection doesn’t work. Now it is possible
to send the pictures’ url to someone and you can get in. So I’m searching how to
protect it with .htaccess.
fruityoaty ~
I installed it, but that “Authentication Required” window doesn’t pop up AT ALL in Firefox 2 or IE 7 (that window that asks for name and password)!

Now I can’t even access my wp-admin URL. It keeps redirecting to home page. I tried deleting the plugin, but I’m still locked out of my WordPress admin. What do I do? Help!
KMiNT21 ~
Useful plugin, thank you.
Elaine Vigneault ~
Thanks for writing this plugin.
AskApache ~
@ sara

please read the Description

It adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder.
sara ~
It password protects my admin panel….not my blog. Have I done something wrong or is this what the plugin is designed to do?
AskApache ~
@ Grant

I hope you got my email!

So sorry!

Just edit your .htaccess file, using eith SSH, telnet, or good old FTP. Remove the part the plugin added. I updated the plugin just yesterday so you might want to deactivate the plugin, download the newest version, and then try it.
Grant ~
Hi there

I installed the plugin, activated it and turned it on by adding a username and password. When it asked for my username password and I typed in the same one I had entered earlier it wouldn’t give me access, just kept asking for my username password.

I noticed once the plugin was turned on that it said it hadn’t written the .htpasswd file.

How do I get access back and get the plugin working?

thanks, Grant
MrGroove ~
Thnx for the write-up. Take a look at http://www.groovypost.com/howto/apache/password-protect-apache-website/ for details on password protecting pages and directories for both LINUX and Windows boxes hosting apache.

MrGroove
Roland Rust ~
great work! and thanks for you comment on http://wordpress.designpraxis.at/plugins/demo-mode/

I actually was thinking of a http-authentication plugin, but the weired setup of my host’s machine doesn’t allow for certain statements within the .htaccess file. It results in an Error 500. That’s why I did “Demo Mode”.
Greyson ~
hi i enjoyed the read
Martha ~
hi nice post, i enjoyed it