[wp-hackers] Protecting a static dir
otto at ottodestruct.com
Mon Feb 4 16:07:59 GMT 2008
On Feb 3, 2008 12:22 PM, Hacker Scot <shacker at birdhouse.org> wrote:
> No problem putting a static dir in the WP docroot. But if you
> protect that static dir with .htaccess, suddenly WP tries to handle
> it and gives a 404.
Let me check on what you're trying to do... You're making a
subdirectory under WordPress. You're trying to make that subdirectory
require basic authentication using .htaccess (and possibly a .htpasswd
If that's correct, then add these lines to the beginning of
WordPress's .htaccess file:
ErrorDocument 401 /path/to/somefile.html
ErrorDocument 403 /path/to/somefile.html
Create a "somefile.html" somewhere. It can be blank, but it must
exist. I call mine blank.html.
Oddly enough, your authentication will then start working. The reason
is because of the odd combination of circumstances setup here. When
somebody tries to access that subdirectory, they are first denied
access with a 401 Unauthorized error code. This normally would be
sent back to the browser, and would cause it to ask for a
However, WordPress' .htaccess file redirects everything to index.php.
Including that 401 error. This lets WordPress take over and suddenly
you're not sending a 401 back anymore, you're sending back the
By forcing the 401 to point at an actual existing file, the
RewriteRule won't take effect, because of the condition that the
request not be asking for an actual file. That's the !-f part of the
The 403 doesn't necessarily need to be forced to a file, but it
doesn't hurt and might help in some edge cases.
More information about the wp-hackers