Cannot protect wp-login.php (IP/htpasswd) in subdirectory


#1

Hi,

I’ve created the main site with ee site create example.com --mysql.

Then later I decided to add blog to this domain under example.com/blog . I’ve manually installed WP into this folder. I use this config and it works fine:

 location /blog {      
         index index.php;
         try_files $uri $uri/ /blog/index.php;
 }

Now I want to protect wp-login.php in /blog folder with HTTP authentification but it doesn’t work.

I’ve tried tons of combinations but none of them works . The last one I’ve tried was:

location ~* (wp-admin|wp-login.php) {
   auth_basic "Authorization Required";
   auth_basic_user_file /var/www/example.com/.htpasswd;
}

The interesting part is that password protection with the location block mentioned above works for wp-admin folder but it ignores the wp-login.php (no HTTP authentication dialog will appear)

Seems that wp-login.php file is handled also somewhere else but I cant find it. WP specific config files were not included into Nginx config as I didn’t create this blog with ee only the main domain.

Any suggestion ?


#2

Hi @ckissi, You’re right about the file already being handled elsewhere;
It’s in the wpcommon file located in /etc/nginx/common :wink:

You’re not alone! Making htpasswd work is something I’ve also been trying to accomplish these days but with no luck yet. Also tried the structure mentioned in the post Block wp-login.php bruteforce attack, still not working.

The only (but not recommended) way to get this working is to comment out or delete the location = /wp-login.php { ... block in wpcommon and use per-directory settings, but it will be overwritten when you update easyengine. :frowning:


#3

Does the plugin “Rename wp-login.php” help?


#4

Hey @meeekz, I don’t know about @ckissi but I haven’t tried it. I’d rather not have to rely on “another” plugin for a simple task like this. IMHO it should be more easy to accomplish through easyengine only.

Would be great to extend the secure command to include directories and files as optional arguments.

ee secure [Optional directory/file name] --auth [Optional user name] [Optional password]

Now, that would be handy (and cool) :sunglasses:


#5

I’d rather use WPS Hide Login, it is way more compatible with my blogs (I don’t know exactly why).


#6

@janiosarmento I use iThemes Security, it also includes the option to change the URLs for WordPress dashboard areas including login, admin and more. I still believe there should be an easier way to get this done via ee commands without the need of plugins. Hence the name “Easy” in EasyEngine right? :slight_smile:


#7

My opinion is irrelevant regarding what I consider easy or not. :wink:


#8
  1. When you manually install WP, did you insert include common/wpcommon.conf ?
  2. What was nginx error said?

#9