Apache protected directories under Wordpress and Joomla don't work: 404 not found

vancanneyt

Verified User
Joined
Dec 13, 2012
Messages
92
When you password protect a directory of the backend area of a CMS (Joomla and/or wordpress), the backend returns a 404 not found error.
For example when you have a joomla installation, the backend interface to manage the site is in a directory called 'administrator'. When you password protect this directory using the directadmin password protect option in the control panel; then the backend would be unreacheable (404 not found error), leaving the user behind with a not working backend.
After research of the Joomla Development Team (see https://github.com/joomla/joomla-cms/issues/6339) it turns out that default apache installations don't have that issue because they have a default handler for 401 errors, which probably isn't on directadmin installations.

Because there are probably a lot of Joomla and Wordpress sites around that want to protect their backend interface it would be a good thing if it would be fixed.
The fastest solution was to add the following line after you password protected a directory in the .htaccess file:
Code:
ErrorDocument 401 default
but thats probably not the best one i suppose...
 
if your looking to protect against such things as sql injections plus others then I recommend this, it WORKS Great even thou it hasnt been updated in a while, Dont let people tell you its no good because ..It Is !!, Protects ALL of my WP sites, I do use some SPAM prevention and a Ban IP for stubborn ones

its called, WordPress FireWall 2
https://wordpress.org/plugins/wordpress-firewall-2/
This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.

here is a copy of the emails I get
WordPress Firewall has detected and blocked a potential attack!
Web Page: www.mysite.com/wp-content/plugins/wp-custom-pages/wp-download.php?download=../../../wp-config.php
Warning: URL may contain dangerous content!
Offending IP: 198.57.162.202 [ Get IP location ]
Offending Parameter: download = ../../../wp-config.php

This may be a "Directory Traversal Attack."

Click here for more information on this type of attack.

If you suspect this may be a false alarm because of something you recently did, try to confirm by repeating those actions. If so, whitelist it via the "whitelist this variable" link below. This will prevent future false alarms.

Click here to whitelist this variable.
Click here to turn off these emails.

other ideas other than a straight .htaccess with protected directories are these

***************************************************************************************
create a .htpasswds file. You can do so easily by using this generator
http://www.htaccesstools.com/htpasswd-generator/
Upload this file outside your /public_html/ directory. A good path would be:
home/user/.htpasswds/public_html/wp-admin/passwd/
Then, create a .htaccess file and upload it in /wp-admin/ directory. Then add the following codes in there:

1 AuthName "Admins Only"
2 AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
3 AuthGroupFile /dev/null
4 AuthType basic
5 require user putyourusernamehere

You must update your username in there. Also don’t forget to update the AuthUserFile location path.
*************************************************************************************

OR
*************************************************************************************
It must be /wp-admin/.htaccess if you don’t see that file then create a blank file, name it .htaccess in your wp-admin folder.
Then paste the following code:

01 AuthUserFile /dev/null
02 AuthGroupFile /dev/null
03 AuthName "WordPress Admin Access Control"
04 AuthType Basic
05 <LIMIT GET>
06 order deny,allow
07 deny from all
08 # whitelist user1 IP address
09 allow from xx.xx.xx.xxx
10 # whitelist User2 IP address
11 allow from xx.xx.xx.xxx
12 # whitelist User3 IP address
13 allow from xx.xx.xx.xxx
14 # whitelist Muhammad's IP address
15 allow from xx.xx.xx.xxx
16 # whitelist Work IP address
17 allow from xx.xx.xx.xxx
18 </LIMIT>
*******************************************************************************
 
my apologies :(
seems someone has taken the Firewall2 and made a nice plugin, Im testing it now but this just may be the answer to your troubles without having to protect admin folder
if this works as good and even better than the original, Im in for all my 50 WP sites :)
although just getting to look at it now, it dont look simple, as is plain jane, but rather nicely built :)

Simple FireWall

one of the many settings
Enable Plugin Feature: Admin Access Restriction
 
Maybe i wasn't clear enough ;)

On joomla and wordpress forums and docs they advise people to password protect the backend interface (wp-admin on Wordpress and administrator on Joomla). When you use the directadmin function to password protect that directory, it breaks the backend. It gives a 404 not found error and doesn't ask for username password as defined by the directadmin password protect function. This leaves users behind with a non working website.
The reason why it gives a 404 error is explained in original post.
For me it looks like an issue in the Apache installation and/or password protect function in directadmin that leaves users behind with unreachable backend interfaces when enabling the option
 
Last edited:
Hello,

I guess I know what you're writing about. We've faced the issue in 2013 the first time, and here what we use as a solution:

Code:
<FilesMatch "wp-login.php">
AuthType basic
AuthName "secretUsername"
AuthUserFile /home/username/wp-admin-attack-htpasswd-file
Require valid-user
</FilesMatch>
ErrorDocument 401 "Authentication required"


The key line is the latest in the output.

Or you may customize /etc/httpd/conf/extra/httpd-multilang-errordoc.conf and change the line:

Code:
ErrorDocument 401 /401.shtml

to

Code:
#ErrorDocument 401 /401.shtml

and copy your modified file to /usr/local/directadmin/custombuild/custom/ap2/conf/extra/httpd-multilang-errordoc.conf

you should create folder structure if you miss it. You should copy the file to protect your customization against being rewritten.
 
Great help from all of you.

I have a different reason to password protect directories; I like to password protect directories on WP sites before the site is ready; that way I can keep it live for ease of testing, yet protect the site from search engines with don't honor the robots.txt command.

zEitEr, will your code work for this?

And does it go into .htaccess?

Thanks.

Jeff
 
Back
Top