• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved htpasswd causing Internal Server Error 500

P

peraburek

Basic Pleskian
Hello,

I am using vanilla install of
Plesk Onyx- Version 17.5.3 Update #12, last updated on July 4, 2017 01:32 PM
‪Ubuntu 16.04.2 LTS‬ 64bit

I want to password protect WordPress file wp-login.php which works fine on friends shared hosting

however when I apply adjusted settings to Plesk, it doesn't work

added to top of .htaccess file (vanilla WordPress install)
Code: 
# Protect wp-login
<Files wp-login.php>
AuthUserFile /absolute/path/to-this-file/user-domain.com/.htpasswd
AuthName "restricted access"
AuthType Basic
require user test1
</Files>

Htpasswd Generator – Create htpasswd - Htaccess Tools

.htpasswd created with values
Code: 
test1:$apr1$9uo/rj2q$t7Jf1aYZVMPokc4FPtGyJ/

I have tried both Apache and NGINX, on NGINX it doesn't work at all
 
Hi peraburek,

here you go with some working examples:

Apache >= 2.3:
Code: 
# Disallow access to important files for apache >=2.3
    <FilesMatch "(^\.|wp-config\.php|(?<!robots)\.txt|(liesmich|readme)\.*)">
       Order deny,allow
       Deny from all
    </FilesMatch>

# Auth protection to wp-login.php for apache >=2.3
    <Files wp-login.php>
       AuthType Basic
       AuthName "Restricted Password Protection"
       AuthUserFile /absolute/path/to-this-file/user-domain.com/.htpasswd
       Require valid-user
    </Files>


Apache >= 2.4:
Code: 
# Disallow access to important files for apache >= 2.4
    <FilesMatch "(^\.|wp-config\.php|(?<!robots)\.txt|(liesmich|readme)\.*)">
      Require all denied
    </FilesMatch>

# Auth protection to wp-login.php for apache >=2.4
    <Files wp-login.php>
      AuthType Basic
      AuthName "Restricted Password Protection"
      AuthUserFile /absolute/path/to-this-file/user-domain.com/.htpasswd
      Require valid-user
    </Files>


Nginx:
Code: 
# Disallow access to important files for ngninx     
    location ~* (/\.|wp-config\.php|(?<!robots)\.txt|(liesmich|readme).*) {
        return 444;
    }

# Auth protection to wp-login.php for nginx
    location = /wp-login.php {
        auth_basic "Restricted Admin-Area";
        auth_basic_user_file /etc/nginx/htpasswd;

        include /etc/nginx/fastcgi.conf;
    }
 
thank you @UFHH01

problem is resolved

here is how to prevent HTTP auth and allow only HTTPS auth

Code: 
# Protect wp-login
<Files wp-login.php>
SSLRequireSSL
ErrorDocument 403 https://your-domain.com/wp-login.php
AuthType Basic
AuthName "restricted access"
AuthUserFile /absolute-path-format/your-domain.com/.htpasswd
Require valid-user
</Files>
 
I have just tested this rule for Nginx - unfortunatelly it doesn't work with Plesk Onyx 17.5

do you have idea why ?

here is my Apache & nginx Settings for that domain

Code: 
gzip on;
gzip_disable "msie6";

gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

location ~*  \.(jpg|jpeg|png|gif|ico|css|js|pdf)$ {expires 30d;}

if (!-e $request_filename) {
    set $test P;
}
if ($uri !~ ^/(plesk-stat|webstat|webstat-ssl|ftpstat|anon_ftpstat|awstats-icon|internal-nginx-static-location)) {
    set $test "${test}C";
}
if ($test = PC) {
    rewrite ^/(.*)$ /index.php?$1;
}

# Disallow access to important files for ngninx
location ~* (/\.|wp-config\.php|(?<!robots)\.txt|(liesmich|readme).*) {
    return 444;
}

# Auth protection to wp-login.php for nginx
location = /wp-login.php {
    auth_basic "Restricted Admin-Area";
    auth_basic_user_file /var/www/vhosts/my-subscription/my-domain.com/.htpasswd;
    include /etc/nginx/fastcgi.conf;
}

after Login form, PHP is "downloaded" and not processed :(

I would like to use Ngnix, thank you :)
 
Last edited:
You must log in or register to reply here.

Similar threads

M
File not found (wp-login.php)
Replies
1
Views
524
Sebahat.hadzhi
Sebahat.hadzhi
K
Issue A lot of random "500 Internal Server Error" from nginx since March 10th
Replies
13
Views
702
alvarezcruz
alvarezcruz
brother4
Question Best way to block direct PHP file access and ensure .htaccess rules are always applied with Nginx as a reverse proxy?
Replies
1
Views
996
brother4
brother4
V
500 Internal Server Error after disabling password protection - WP Toolkit
Replies
1
Views
2K
Peter Debik
P
K
500 internal server errore CP admin
Replies
0
Views
1K
k23
K
Back
Top