|Posted: Thursday Sep 5th, 2013 at 5:14 pm #59164|
I’m looking to apply an extra layer of security to the wp-admin area using .htaccess to password-protect it. These articles detail the rationale behind it:
s2member loads some .js and .css files on public pages, such as any buy/checkout pages:
And the login and lost-password pages:
Implementing .htaccess password protections would result in all users being prompted with a HTTP authentication box upon visiting buy/checkout pages and the login page due to the above .css and .js files being referenced in the HTML source.
So, in order for this to work, I’ll have to whitelist these files. I’ve come up with the following:
I didn’t whitelist .png, and .gif in ‘/wp-admin/images/’ as the .css files that s2member loads don’t reference them.
Although it seems pretty brittle, the above approach appears to resolve the issue, but is the whitelist above sufficient? Are there any other non-css/js files that s2member may also be referencing or even injecting via ajax or conditionally via php that I also need to whitelist?
One suggestion that may be worth considering is to remove references to ‘wp-admin’ files altogether so folks can implement two-way authentication and even IP-address restrictions within ‘wp-admin’ without breaking s2member. s2member could instead load the .css and .js within its plugin folder.
- s2Member® Products