Basic Auth .htaccess but allow specific URL to pass through

WorkinOnIt

• November 18, 2019 19:43

I use a htaccess basic auth on my Woocommerce site to help prevent bots accessing wp-login, which works well... except with woocommerce if a logged in customer wants to logout from their account - upon clicking the logout link - they are greeted by the Basic Auth popup asking them to "authorise" (generated by our htaccess). On Woocommerce dashboard: the link looks like this: Hello MrTest (not MrTest ? Log out) << clicking on Log out brings up the Basic Auth login box.... how can we avoid that ? Here is the content of our htaccess: [QUOTE]AuthName "Authorized" AuthType Basic AuthUserFile /home/user/.pswrdfile require valid-user
In WooCommerce settings, the Logout endpoint is: "customer-logout" and the logout link URL shows: www.example.com/shop/my-account/customer-logout/?_wpnonce=2e343434 So how to change the htaccess to allow "wp-login.php?action=logout" to pass through the basic auth? I tried this but it fails to work; I have Apache server with cPanel latest versions. RewriteEngine On RewriteCond %{REQUEST_URI} ^/wp-login.php$ RewriteCond %{QUERY_STRING} ^action=logout RewriteRule ^ - [E=noauth] AuthName "Protected page" AuthType Basic AuthUserFile "/home/user/.pwrdfile" Require valid-user Order Deny,Allow Deny from all Allow from env=noauth Satisfy any

• 

  cPanelLauren

  • November 20, 2019 20:37

  To clarify, these are customers logged in to the wordpress backend correct? I'd think that the only way to prevent that password protection from popping up would be to redirect the user elsewhere on logout. Redirecting them to wp-login on logout would prompt the password auth otherwise any time an unauthenticated user lands on that page they will be prompted. The following might be helpful:

  0
• 

  WorkinOnIt

  • November 22, 2019 05:05

  Hi @cPanelLauren thanks for your reply and suggestion.

  To clarify, these are customers logged in to the wordpress backend correct?

  
  Technically yes as they are logged in as WooCommerce shop customers - but without access to wp-admin.

  I'd think that the only way to prevent that password protection from popping up would be to redirect the user elsewhere on logout.

  
  That is an interesting idea. I have experimented with various options, however it seems in order to logout, the WordPress URL /wp-login.php&action=logout must be called - therefore always triggering the htaccess prompt. What would be the best way to redirect prior to that basic auth showing up?

  0
• 

  cPanelLauren

  • November 22, 2019 18:05

  Hi @WorkinOnIt Albeit I'm not an expert on this specific issue, but I think this can be done easiest in the functions.php for the theme: add_action('wp_logout','auto_redirect_after_logout'); function auto_redirect_after_logout(){ wp_redirect( site_url() ); exit(); }
home_url
  or site_url
  can be replaced by an external URL as well.

  0
• 

  WorkinOnIt

  • November 25, 2019 00:50

  Hi @cPanelLauren Thanks for your suggestion - sadly it didn't work - because the wp-login.php launches before the redirect you've mentioned. So - how about taking a different track? Could it be possible to modify the .htaccess directive to precisely target the "wp-login.php" file, but ignore the longer quesrystring ( "wp-login.php?action=logout&redirect_to" ?? I tried the following but not working... suggestions? AuthName "Protected page" AuthType Basic AuthUserFile "/home/user/.pwrdfile" require valid-user Order Deny,Allow Deny from all #Allow from 192.168.64.5 # developers IP address Allow from wp-login.php&action=logout #<<<<<<<<<<< how to construct this ? Satisfy Any
  

  0
• 

  cPanelLauren

  • November 26, 2019 18:48

  Possibly? This is something that would be more geared towards a system administrator or developer though.

  0

Please sign in to leave a comment.