Johnvh.com - home of Dallas, Texas based Flash Developer and web enthusiast John Van Horn

February 17, 2009

Wordpress, mod rewrite, and htaccess nightmare

So I recently blogged about using digest authentication instead of basic for securing your wp-admin directory. When implementing this myself, I had it all set up and working on a subdomain. But, I had the authentication directive in the root .htaccess file as well as the wp-admin/.htaccess file. This made it appear to work just fine. When I went to implement this on here on my live site though, I ran into an issue. The rewrite was being applied no matter what! This resulted in requests to /wp-admin being rewrriten and handled by index.php, and 404'ing.

So save yourself some headaches and searching, and put the following in your root .htaccess file:

Just make sure those files (error.html) actually exist.

I don't exactly know why this works, but it does. I also don't know who is to blame. Textpattern blames Apache configurations for not having valid error documents to serve (they also have the solution). Dreamhost blames overly aggressive rewrite conditions, but I don't know about that either. Seems to me the rewrite conditions are being used correctly. Sure, the requested uri needs authentication, but it exists on disk. Props to other folks too for other ideas, and the final solution.

February 16, 2009

Master bathroom progress

Just finished up a long day of working on the bathroom. The shower stall is now officially ready to tile. Here are a few pics.

Vapor barrier over sheetrock before backer board is hung

Backer board done

February 11, 2009

Use digest authentication

I've seen several articles that discuss Wordpress security - just search for it - say that you should password protect the wp-admin directory. You can do this easily with Apache by using authentication directives, which allow you, per directory, to require a valid user name and password from a client before serving up any content. As of right now, there are two types of authentication that are prevalent out of the box: basic authentication, and digest autentication.

All the security articles I've read recommend setting up basic authentication. I understand that the point is to have password protected access, but basic authentication is not secure. When your browser is challenged with the basic authorization protocol, the user name and password you enter is just base 64 encoded. If someone intercepted a request header on the way to your server after you've authenticated, there would be virtually no work at all involved in decoding your user name and password.

Alternatively, and just as easily, you can use digest authentication, which is considered to be much more secure than basic. It uses MD5 encryption, and other techniques to make the output nearly one way.

Consider the following exceprts from a .htaccess file:

Both should be fairly easy to setup with the Auth directives, and Apache ships with CLI tools for easily adding users and password files: htpasswd, and htdigest.