latest stable versions: v150827 (changelog)
top⇑

Old Forums (READ-ONLY): The community now lives at WP Sharks™. If you have an s2Member® Pro question, please use our new Support System.

Password protect wp-admin with .htaccess

Home Forums Community Forum Password protect wp-admin with .htaccess

This topic contains 0 replies, has 1 voice. Last updated by  TJ 3 years, 4 months ago.

Topic Author Topic
Posted: Thursday Sep 5th, 2013 at 5:14 pm #59164
TJ
Username: wellwater

I’m looking to apply an extra layer of security to the wp-admin area using .htaccess to password-protect it. These articles detail the rationale behind it:
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/
http://wordpress.damien.co/2013/04/wordpress-security-protect-your-wp-admin-with-this-quick-htaccess-trick/
http://kuttler.eu/post/htaccess-protect-wordpress-admin/

s2member loads some .js and .css files on public pages, such as any buy/checkout pages:

/wp-admin/js/password-strength-meter.min.js

And the login and lost-password pages:

/wp-admin/css/wp-admin.min.css
/wp-admin/css/colors-fresh.min.css

Implementing .htaccess password protections would result in all users being prompted with a HTTP authentication box upon visiting buy/checkout pages and the login page due to the above .css and .js files being referenced in the HTML source.

So, in order for this to work, I’ll have to whitelist these files. I’ve come up with the following:

# place in /wp-admin/.htaccess
# whitelist files/file types:
# allows .css, .js, and admin-ajax.php files to load without restrictions

    Order allow,deny
    Allow from all
    Satisfy any

I didn’t whitelist .png, and .gif in ‘/wp-admin/images/’ as the .css files that s2member loads don’t reference them.

Although it seems pretty brittle, the above approach appears to resolve the issue, but is the whitelist above sufficient? Are there any other non-css/js files that s2member may also be referencing or even injecting via ajax or conditionally via php that I also need to whitelist?

One suggestion that may be worth considering is to remove references to ‘wp-admin’ files altogether so folks can implement two-way authentication and even IP-address restrictions within ‘wp-admin’ without breaking s2member. s2member could instead load the .css and .js within its plugin folder.

Thanks.

  • This topic was modified 3 years, 4 months ago by  TJ.
  • This topic was modified 3 years, 4 months ago by  TJ.
  • This topic was modified 3 years, 3 months ago by  TJ.

This topic is closed to new replies. Topics with no replies for 2 weeks are closed automatically.

Old Forums (READ-ONLY): The community now lives at WP Sharks™. If you have an s2Member® Pro question, please use our new Support System.

Contacting s2Member: Please use our Support Center for bug reports, pre-sale questions & technical assistance.