WordPress and password protected sub directories using htaccess (mod_rewrite)

July 3rd, 2009 by K79 Leave a reply »

Problem

  1. SubDir under WordPress / Web App : Sub directories under your WordPress installation used for other stuff are redirected to WordPress.
  2. Password Protected SubDir under WordPress / Web App : Some commonly thought out solutions for problem will not work where your subdir is password protected by .htaccess

Problem/Solution (1) Explained

When you want to use clean SEO friendly URLs for WordPress (or any other web application for that matter) you can use mod_rewrite to achieve clean URLs.
This is achieved by redirecting (actually rewriting) every request to one single point of entry (commonly index.php).
However using this method means that if you have a sub-folder or an actual file eg. otherstuff / status.html, apache might think that this should be redirected to your web app as well.
Web applications get around this by adding conditions so that the rewrite only works when the actual file/folder does not exist.

Example, WordPress will write a rewrite following in .htaccess for you (or give you the code to write yourself if you do not have .htaccess writeable).

<IfModule mod_rewrite.c>
RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

This .htaccess will ensure that your blog / web app is now working on clean URLs. i.e. http://example.com/home/welcome instead of http://example.com/index.php?id=1

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
These lines make sure that rewrite does not happen for existing files and folder.

Bigger Problem (2)

A bigger problem is that you will lose some hair when trying to think why this simple trick endorsed by WordPressdoes not work with password protected directories with htaccess files of their own.
For the password protected directories to work apache needs to throw a  “401 Unauthorized” header and server an error file. On the other hand the idea for mod_rewrite is that it will not throw 404 error (or a 401 error) and pretend that the missing file (or protected file) exists.

You can overcome this dilemma by simply stating that the password protected directory should throw a 401 error on access.
There are multiple ways to achieve this in .htaccess based on your error handling method.

The Solution (2)

Add one of the following lines to your .htaccess in password protected directory.

ErrorDocument 401 default
(throws default 401 error)

ErrorDocument 401 "Unauthorised"
(throws 401 error with string Unauthorised (yes I am British))

ErrorDocument 401 /401.php
(throws 401 error with PHP file /401.php in root (yes I prefer PHP))
You can face the same problem for other error codes in slightly different situations, use your brain and leave a comment if I saved you some time.
Advertisement