Results 1 to 8 of 8

Thread: Apache protected directories under Wordpress and Joomla don't work: 404 not found

  1. #1
    Join Date
    Dec 2012
    Posts
    76

    Apache protected directories under Wordpress and Joomla don't work: 404 not found

    When you password protect a directory of the backend area of a CMS (Joomla and/or wordpress), the backend returns a 404 not found error.
    For example when you have a joomla installation, the backend interface to manage the site is in a directory called 'administrator'. When you password protect this directory using the directadmin password protect option in the control panel; then the backend would be unreacheable (404 not found error), leaving the user behind with a not working backend.
    After research of the Joomla Development Team (see https://github.com/joomla/joomla-cms/issues/6339) it turns out that default apache installations don't have that issue because they have a default handler for 401 errors, which probably isn't on directadmin installations.

    Because there are probably a lot of Joomla and Wordpress sites around that want to protect their backend interface it would be a good thing if it would be fixed.
    The fastest solution was to add the following line after you password protected a directory in the .htaccess file:
    Code:
    ErrorDocument 401 default
    but thats probably not the best one i suppose...

  2. #2
    Join Date
    Oct 2006
    Posts
    576
    if your looking to protect against such things as sql injections plus others then I recommend this, it WORKS Great even thou it hasnt been updated in a while, Dont let people tell you its no good because ..It Is !!, Protects ALL of my WP sites, I do use some SPAM prevention and a Ban IP for stubborn ones

    its called, WordPress FireWall 2
    https://wordpress.org/plugins/wordpress-firewall-2/
    This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.
    here is a copy of the emails I get
    WordPress Firewall has detected and blocked a potential attack!
    Web Page: http://www.mysite.com/wp-content/plu.../wp-config.php
    Warning: URL may contain dangerous content!
    Offending IP: 198.57.162.202 [ Get IP location ]
    Offending Parameter: download = ../../../wp-config.php

    This may be a "Directory Traversal Attack."

    Click here for more information on this type of attack.

    If you suspect this may be a false alarm because of something you recently did, try to confirm by repeating those actions. If so, whitelist it via the "whitelist this variable" link below. This will prevent future false alarms.

    Click here to whitelist this variable.
    Click here to turn off these emails.
    other ideas other than a straight .htaccess with protected directories are these

    ***************************************************************************************
    create a .htpasswds file. You can do so easily by using this generator
    http://www.htaccesstools.com/htpasswd-generator/
    Upload this file outside your /public_html/ directory. A good path would be:
    home/user/.htpasswds/public_html/wp-admin/passwd/
    Then, create a .htaccess file and upload it in /wp-admin/ directory. Then add the following codes in there:

    1 AuthName "Admins Only"
    2 AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
    3 AuthGroupFile /dev/null
    4 AuthType basic
    5 require user putyourusernamehere

    You must update your username in there. Also don’t forget to update the AuthUserFile location path.
    *************************************************************************************

    OR
    *************************************************************************************
    It must be /wp-admin/.htaccess if you don’t see that file then create a blank file, name it .htaccess in your wp-admin folder.
    Then paste the following code:

    01 AuthUserFile /dev/null
    02 AuthGroupFile /dev/null
    03 AuthName "WordPress Admin Access Control"
    04 AuthType Basic
    05 <LIMIT GET>
    06 order deny,allow
    07 deny from all
    08 # whitelist user1 IP address
    09 allow from xx.xx.xx.xxx
    10 # whitelist User2 IP address
    11 allow from xx.xx.xx.xxx
    12 # whitelist User3 IP address
    13 allow from xx.xx.xx.xxx
    14 # whitelist Muhammad's IP address
    15 allow from xx.xx.xx.xxx
    16 # whitelist Work IP address
    17 allow from xx.xx.xx.xxx
    18 </LIMIT>
    *******************************************************************************

  3. #3
    Join Date
    Oct 2006
    Posts
    576
    my apologies
    seems someone has taken the Firewall2 and made a nice plugin, Im testing it now but this just may be the answer to your troubles without having to protect admin folder
    if this works as good and even better than the original, Im in for all my 50 WP sites
    although just getting to look at it now, it dont look simple, as is plain jane, but rather nicely built

    Simple FireWall

    one of the many settings
    Enable Plugin Feature: Admin Access Restriction

  4. #4
    Join Date
    Oct 2004
    Location
    A Coruña, Spain
    Posts
    6,783
    I use this plugin: https://wordpress.org/plugins/all-in...-and-firewall/

    It is pretty well done and provide many hint to improve WP security that you can enable directly from WP Admin interface.

    Regards
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  5. #5
    Join Date
    Dec 2012
    Posts
    76
    Maybe i wasn't clear enough

    On joomla and wordpress forums and docs they advise people to password protect the backend interface (wp-admin on Wordpress and administrator on Joomla). When you use the directadmin function to password protect that directory, it breaks the backend. It gives a 404 not found error and doesn't ask for username password as defined by the directadmin password protect function. This leaves users behind with a non working website.
    The reason why it gives a 404 error is explained in original post.
    For me it looks like an issue in the Apache installation and/or password protect function in directadmin that leaves users behind with unreachable backend interfaces when enabling the option
    Last edited by vancanneyt; 03-08-2015 at 12:07 PM. Reason: Typo

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,311
    Hello,

    I guess I know what you're writing about. We've faced the issue in 2013 the first time, and here what we use as a solution:

    Code:
    <FilesMatch "wp-login.php">
    AuthType basic
    AuthName "secretUsername"
    AuthUserFile /home/username/wp-admin-attack-htpasswd-file
    Require valid-user
    </FilesMatch>
    ErrorDocument 401 "Authentication required"

    The key line is the latest in the output.

    Or you may customize /etc/httpd/conf/extra/httpd-multilang-errordoc.conf and change the line:

    Code:
    ErrorDocument 401 /401.shtml
    to

    Code:
    #ErrorDocument 401 /401.shtml
    and copy your modified file to /usr/local/directadmin/custombuild/custom/ap2/conf/extra/httpd-multilang-errordoc.conf

    you should create folder structure if you miss it. You should copy the file to protect your customization against being rewritten.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  7. #7
    nobaloney's Avatar
    nobaloney is offline NoBaloney Internet Svcs - In Memoriam †
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,122
    Great help from all of you.

    I have a different reason to password protect directories; I like to password protect directories on WP sites before the site is ready; that way I can keep it live for ease of testing, yet protect the site from search engines with don't honor the robots.txt command.

    zEitEr, will your code work for this?

    And does it go into .htaccess?

    Thanks.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  8. #8
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,311
    Quote Originally Posted by nobaloney View Post
    zEitEr, will your code work for this?
    You may use a Directadmin build-in function to password protect directories. My example shows how to password protect a single page. That way we used to protect it against a bruteforce.

    Quote Originally Posted by nobaloney View Post
    And does it go into .htaccess?
    Yes, or whenever it's allowed by apache: http://httpd.apache.org/docs/current...tml#filesmatch
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •