Exclude password protected folders using .htaccess

How can I exclude individual folders using .htaccess?

For example I have Wordpress 3.0.1 MU installed in the root of the domain using subfolders, not subdomains.

I have Joomla installed in a subfolder and want to password protect the administrator folder for extra security.

When I use .htaccess in that folder to do the password protection, Wordpress throws me back to the front page and the protected Joomla admin folder is inaccessible.

I am guessing I either need to add some code to the .htaccess in the Joomla admin folder, or to the .htaccess of main WP MU install, or both.

I've tried the folder exclusion codes recommended by people on the Internet but they either have no effect or get me a site-wide 500 error.

If the main site is /home/mysite/public_html the subfolder is /home/mysite/public_html/joomla and the password protected folder is /home/mysite/public_html/joomla/administrator where the domain is http://www.mysite.com what code should I use to get WPMU to let me both password protect and access http://www.mysite.com/joomla/administrator ?

  • Mason

    Hello Specialist,

    Yep, you can exclude a folder (or multiple folders) with the .htaccess file in WordPress:
    Below a default .htaccess file for Wordpress:

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    The line to add to this, to exclude a folder from being rewritten is:

    RewriteCond %{REQUEST_URI} !^/(foldername|foldername/.*)$

    Simply replace "foldername" with your own subfolder that needs to be excluded from the rewrite. So the complete .htaccess content would become:

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_URI} !^/(foldername|foldername/.*)$
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    If you want to exclude multiple folders change the new line above to:
    RewriteCond %{REQUEST_URI} !^/(folder1|folder2|folder3).*$

    Hope this helps! :smiley:

  • Specialist

    Thanks for that.

    It works brilliantly for folders which are not password protected, but as soon as you apply .htaccess password protection to that folder you get slung back to the home page and the folder is inaccessible.

    In the end the guys at Open Source Excellence recommended protecting the administrator folders by limiting the IP access to my own IP address using the following code in the .htaccess in the folders I wanted to protect from general access:

    ######## start code ###########

    # BEGIN WordPress
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    # END WordPress

    # BEGIN IP Address Limit
    Order Deny,Allow
    Deny from all
    Allow from **.*.***.**
    # END IP Address Limit

    ########## end code ##########

    Where **.*.***.** is your own IP address.

    This works perfectly in terms of reducing the access risk, with the only drawback being that I have to edit the .htaccess every time my IP address changes because my broadband isp doesn't offer static IP addresses.

    Obviously it doesn't rule out anyone on the same IP address from accessing the administrator folders, but it does reduce the overall risk dramatically.

  • Specialist

    Found some interesting tips regarding further securing Joomla on Sigsiu.NET too which might be of interest even though it isn't WP/WPMU specific.

    I've added the non Joomla (check default Joomla .htaccess for the bits that apply) code to the main WPMU .htaccess which has a Joomla install in a subfolder and it doesn't seem to have hurt.

    I did that because I Googled for "proc/self/environ" when I was getting OSE reports of :
    Query String: page=../../../../../../../../../../../../../../../proc/self/environ
    Violation: Layer 1 Protection [Exploit: proc/self/environ]

    ... (on a site which was until recently pure hand built php with WP Blog in subfolder and is now Joomla based with no WP Blog yet) ....

    Anyway, the .htaccess code below is said to deal with that particular issue.

    #### @RS if the request contains /proc/self/environ
    RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
    #### @RS
    (This a code snippet from a longer .htaccess on the link mentioned earlier)

    It may be that none of it applies to WP but I thought it worth mentioning in an .htaccess x joomla x security thread.

    I am currently on a mega security mission with regard to my own sites as crashed or hacked sites are sooooo much hard work and always happen at the worst possible time!!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.