Password Protection written in between # BEGIN WordPress and # END WordPress in .htaccess, gets overwritten randomly

I dont really know if you consider this a bug, but its a really bad issue that happens occasionally on all my sites I have password protected, and has done for a long time.

but often I would password protect directories, then notice sometime later its not protected anymore. the .htaccess file doesnt have the code anymore to protect it.

I just set one up again, and I notice the code goes in between # BEGIN WordPress and # END WordPress.

So if this is the issue, then that may explain it because anything between these could be managed by Wordpress.

We also use other plugins like WP Rocket, Wordfence, ithemes security, that would edit the htaccess file. But all of them add # comments to signify the start and end of their modifications. I would guess NOT adding protection code inside any of these comments would mean it survives other modifications.

Maybe wrap virtualmin added code in # tags too.

Status: 
Closed (fixed)

Comments

Do you mean that there are commented sections in the .htaccess file that are used by Wordpress, and that something is deleting the comments?

No. I mean when virtualmin adds in the password protection code it adds it between wordpresses comments so often gets overwritten as Wordpress manages htaccess inside its comments.

Ah, I see. Can you attach the whole .htaccess file to this bug report so I can see the format Wordpress uses?

Sorry for late response, was waiting until I have another site I need to protect.

This is the htaccess file after I choose to protect directories.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
AuthUserFile "/home/mysite/public_html/htusers"
AuthType Basic
AuthName "Login"
require valid-user
<Files htusers>
deny from all
</Files>

# END WordPress

You can see the code is entered in between # BEGIN WordPress and # END WordPress. Well Wordpress will manage content inside here, and so often I get compaints from customers that their development site is indexed in Google, so when I go check it out the password protection is gone and Google has indexed it. Its very very bad for customers to have their new development sites show up in Google. I find password protection the best way to protect a development project. But I cant rely on it.

So what I do is make .htaccess 444 so it cant be written to. but then actually there are times we do want Wordpress to write to it, and it cant. When we install caching plugins, or Wordpress firewall, they need to write to it but cant.

So it would be best that Virtualmin respect these areas of .htaccess and not write to inside the comments. Its not just Wordpress comments, but the caching plugins and firewall plugins all add their own comments to show where their code starts and ends, and nothing should be written inside these.

Thanks!

For info, this is what Wordpress default htaccess should look like

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Ok, the next Webmin release will handle this case properly.

Status: Fixed ยป Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.