Resolved htpasswd causing Internal Server Error 500

[peraburek]

Hello,

I am using vanilla install of
Plesk Onyx- Version 17.5.3 Update #12, last updated on July 4, 2017 01:32 PM
‪Ubuntu 16.04.2 LTS‬ 64bit

I want to password protect WordPress file wp-login.php which works fine on friends shared hosting

however when I apply adjusted settings to Plesk, it doesn't work

added to top of .htaccess file (vanilla WordPress install)

# Protect wp-login
<Files wp-login.php>
AuthUserFile /absolute/path/to-this-file/user-domain.com/.htpasswd
AuthName "restricted access"
AuthType Basic
require user test1
</Files>

Htpasswd Generator – Create htpasswd - Htaccess Tools

.htpasswd created with values

test1:$apr1$9uo/rj2q$t7Jf1aYZVMPokc4FPtGyJ/

I have tried both Apache and NGINX, on NGINX it doesn't work at all

 

[UFHH01]

Hi peraburek,

here you go with some working examples:

Apache >= 2.3:

# Disallow access to important files for apache >=2.3
    <FilesMatch "(^\.|wp-config\.php|(?<!robots)\.txt|(liesmich|readme)\.*)">
       Order deny,allow
       Deny from all
    </FilesMatch>

# Auth protection to wp-login.php for apache >=2.3
    <Files wp-login.php>
       AuthType Basic
       AuthName "Restricted Password Protection"
       AuthUserFile /absolute/path/to-this-file/user-domain.com/.htpasswd
       Require valid-user
    </Files>

Apache >= 2.4:

# Disallow access to important files for apache >= 2.4
    <FilesMatch "(^\.|wp-config\.php|(?<!robots)\.txt|(liesmich|readme)\.*)">
      Require all denied
    </FilesMatch>

# Auth protection to wp-login.php for apache >=2.4
    <Files wp-login.php>
      AuthType Basic
      AuthName "Restricted Password Protection"
      AuthUserFile /absolute/path/to-this-file/user-domain.com/.htpasswd
      Require valid-user
    </Files>

Nginx:

# Disallow access to important files for ngninx     
    location ~* (/\.|wp-config\.php|(?<!robots)\.txt|(liesmich|readme).*) {
        return 444;
    }

# Auth protection to wp-login.php for nginx
    location = /wp-login.php {
        auth_basic "Restricted Admin-Area";
        auth_basic_user_file /etc/nginx/htpasswd;

        include /etc/nginx/fastcgi.conf;
    }

 

[peraburek]

thank you @UFHH01

problem is resolved

here is how to prevent HTTP auth and allow only HTTPS auth

# Protect wp-login
<Files wp-login.php>
SSLRequireSSL
ErrorDocument 403 https://your-domain.com/wp-login.php
AuthType Basic
AuthName "restricted access"
AuthUserFile /absolute-path-format/your-domain.com/.htpasswd
Require valid-user
</Files>

 

[peraburek]

I have just tested this rule for Nginx - unfortunatelly it doesn't work with Plesk Onyx 17.5

do you have idea why ?

here is my Apache & nginx Settings for that domain

gzip on;
gzip_disable "msie6";

gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

location ~*  \.(jpg|jpeg|png|gif|ico|css|js|pdf)$ {expires 30d;}

if (!-e $request_filename) {
    set $test P;
}
if ($uri !~ ^/(plesk-stat|webstat|webstat-ssl|ftpstat|anon_ftpstat|awstats-icon|internal-nginx-static-location)) {
    set $test "${test}C";
}
if ($test = PC) {
    rewrite ^/(.*)$ /index.php?$1;
}

# Disallow access to important files for ngninx
location ~* (/\.|wp-config\.php|(?<!robots)\.txt|(liesmich|readme).*) {
    return 444;
}

# Auth protection to wp-login.php for nginx
location = /wp-login.php {
    auth_basic "Restricted Admin-Area";
    auth_basic_user_file /var/www/vhosts/my-subscription/my-domain.com/.htpasswd;
    include /etc/nginx/fastcgi.conf;
}

after Login form, PHP is "downloaded" and not processed

I would like to use Ngnix, thank you