Proteting wp-login.php using <FilesMatch>

snippetfactory · March 21, 2020, 10:52am

In order to protect the ClassicPress installation, I’ve previously used a snippet like this in my .htaccess file:

<FilesMatch "wp-login.php">
AuthName "Members and Admin only"
AuthUserFile "/home/account/.htpasswds/folder/.htpasswd"
AuthType Basic
require valid-user
</FilesMatch>

This would then prompt the user to provide a valid username and password before getting to the actual login screen. This works with WordPress, but for some reason it does not work with ClassicPress.

The same goes for this: RewriteRule ^login$ https://URL/wp-login.php [NC,L] which is a simple way of changing the login URL. It does not work either.

Is there a specific CP way I should do this? CP works good otherwise.

anon71687268 · March 21, 2020, 11:21am

My .htaccess uses Files rather than FilesMatch. This isn’t specific to ClassicPress, though.

<Files "wp-login.php">
AuthName "Members and Admin only" 
AuthUserFile "/home/account/.htpasswds/folder/.htpasswd" 
AuthType Basic
require valid-user 
</Files>

Not sure about the login redirect issue…perhaps someone else can assist.

…and welcome to the community.

snippetfactory · March 21, 2020, 11:24am

Hey and thanks for the welcome!
I’ll give that a try.

snippetfactory · March 21, 2020, 11:29am

That did not work either. I’ve raised this with my host, maybe they can figure it out.

anon71687268 · March 21, 2020, 11:31am

As one last-ditch effort, you might try reordering your arguments – this is the order I used. No idea if it makes a difference.

AuthType Basic
AuthName “Your Text”
AuthUserFile “/your/path/to/.htpasswd”
require valid-user

snippetfactory · March 21, 2020, 3:54pm

I got it fixed.
I had to modify the permalink structure into this:
# BEGIN ClassicPress

RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ./ /index.php [L]

# END ClassicPress

Notice te double / / for the index.

Then add the password auth this way:
<FilesMatch “wp-login.php”>
AuthType Basic
AuthName “Authorized Only”
AuthUserFile “/home/account-name/.htpasswds/public_html/passwd”
require valid-user

And finally, add the login URL like this:
RewriteRule ^login$ https://URL/wp-login.php [NC,L]

All working fine now. This might help someone else as well.
Running PHP 7.2 with latest CP version.