[wp-hackers] Protecting a static dir

Otto otto at ottodestruct.com
Mon Feb 4 16:07:59 GMT 2008

On Feb 3, 2008 12:22 PM, Hacker Scot <shacker at birdhouse.org> wrote:
> No problem putting a static dir in the WP  docroot. But if you
> protect  that static dir with .htaccess, suddenly WP tries  to handle
> it and  gives a 404.

Let me check on what you're trying to do... You're making a
subdirectory under WordPress. You're trying to make that subdirectory
require basic authentication using .htaccess (and possibly a .htpasswd

If that's correct, then add these lines to the beginning of
WordPress's .htaccess file:
ErrorDocument 401 /path/to/somefile.html
ErrorDocument 403 /path/to/somefile.html

Create a "somefile.html" somewhere. It can be blank, but it must
exist. I call mine blank.html.

Oddly enough, your authentication will then start working. The reason
is because of the odd combination of circumstances setup here. When
somebody tries to access that subdirectory, they are first denied
access with a  401 Unauthorized error code. This normally would be
sent back to the browser, and would cause it to ask for a

However, WordPress' .htaccess file redirects everything to index.php.
Including that 401 error. This lets WordPress take over and suddenly
you're not sending a 401 back anymore, you're sending back the
WordPress page.

By forcing the 401 to point at an actual existing file, the
RewriteRule won't take effect, because of the condition that the
request not be asking for an actual file. That's the !-f part of the
WordPress rules.

The 403 doesn't necessarily need to be forced to a file, but it
doesn't hurt and might help in some edge cases.


More information about the wp-hackers mailing list