Johnvh.com - online home of John Van Horn » Wordpress http://johnvh.com Online home of Dallas, TX based web developer John Van Horn Fri, 13 Nov 2009 05:42:05 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 Wordpress, mod rewrite, and htaccess nightmare http://johnvh.com/2009/02/17/wordpress-mod-rewrite-and-htaccess-nightmare/ http://johnvh.com/2009/02/17/wordpress-mod-rewrite-and-htaccess-nightmare/#comments Wed, 18 Feb 2009 05:08:40 +0000 johnvh http://johnvh.com/?p=157 So I recently blogged about using digest authentication instead of basic for securing your wp-admin directory. When implementing this myself, I had it all set up and working on a subdomain. But, I had the authentication directive in the root .htaccess file as well as the wp-admin/.htaccess file. This made it appear to work just fine. When I went to implement this on here on my live site though, I ran into an issue. The rewrite was being applied no matter what! This resulted in requests to /wp-admin being rewrriten and handled by index.php, and 404'ing.

So save yourself some headaches and searching, and put the following in your root .htaccess file:

PLAIN TEXT
CODE:
  1. ErrorDocument 401 /error.html
  2. ErrorDocument 403 /error.html

Just make sure those files (error.html) actually exist.

I don't exactly know why this works, but it does. I also don't know who is to blame. Textpattern blames Apache configurations for not having valid error documents to serve (they also have the solution). Dreamhost blames overly aggressive rewrite conditions, but I don't know about that either. Seems to me the rewrite conditions are being used correctly. Sure, the requested uri needs authentication, but it exists on disk. Props to other folks too for other ideas, and the final solution.

]]> http://johnvh.com/2009/02/17/wordpress-mod-rewrite-and-htaccess-nightmare/feed/ 0 Use digest authentication http://johnvh.com/2009/02/11/use-digest-authentication/ http://johnvh.com/2009/02/11/use-digest-authentication/#comments Thu, 12 Feb 2009 03:08:18 +0000 johnvh http://johnvh.com/?p=153 I've seen several articles that discuss Wordpress security - just search for it - say that you should password protect the wp-admin directory. You can do this easily with Apache by using authentication directives, which allow you, per directory, to require a valid user name and password from a client before serving up any content. As of right now, there are two types of authentication that are prevalent out of the box: basic authentication, and digest autentication.

All the security articles I've read recommend setting up basic authentication. I understand that the point is to have password protected access, but basic authentication is not secure. When your browser is challenged with the basic authorization protocol, the user name and password you enter is just base 64 encoded. If someone intercepted a request header on the way to your server after you've authenticated, there would be virtually no work at all involved in decoding your user name and password.

Alternatively, and just as easily, you can use digest authentication, which is considered to be much more secure than basic. It uses MD5 encryption, and other techniques to make the output nearly one way.

Consider the following exceprts from a .htaccess file:

PLAIN TEXT
CODE:
  1. #Use digest authentication
  2. AuthType Digest
  3. AuthName "private"
  4. AuthDigestFile /home/yourusername/.htdigest
  5. Require valid-user

PLAIN TEXT
CODE:
  1. #Use basic authentication
  2. AuthUserFile /home/yourusername/.htpasswd
  3. AuthName "restricted"
  4. AuthType Basic
  5. Require valid-user

Both should be fairly easy to setup with the Auth directives, and Apache ships with CLI tools for easily adding users and password files: htpasswd, and htdigest.

]]> http://johnvh.com/2009/02/11/use-digest-authentication/feed/ 1