Using WordPress’s permalink feature seems to cause some issues with password protected directories that use Apache’s .htaccess to handle authentication. I recently had to troubleshoot why after installing WordPress on the root level of the domain that a password protected directory would return a 404 page instead of the typical login box.

The problem comes from the Apache rewrite engine that WordPress uses to make search engine friendly URL’s. WordPress uses a .htaccess file in the root folder of the install to take any URL and allow WordPress to process and serve the appropriate page, or error.

What Exactly Is Breaking User Logins

In this condition the Web server thinks that the HTTP data stream sent by the client (ex. a web browser) was correct, but access to the URL requires user authentication which has not yet been provided or which has been provided, but failed authorization tests. This is commonly known as “HTTP Basic Authentication” or HTTP Error 401 Unauthorized.

Generally this error message means you need to log on (enter a valid user ID and password) somewhere first. If you have just entered these and then immediately see a 401 error, it means that one or both of your user ID and password were invalid for whatever reason (entered incorrectly, user ID suspended etc.).

Let’s Fix Directory Listing Too

Another issue could be a HTTP Error 403 Forbidden. The Web server thinks that the HTTP data stream sent by the client (ex. your web browser) was correct, but access to the resource identified by the URL is forbidden for some reason. The most common reason for this error is that directory browsing is forbidden for the Web site. Most Web sites want you to navigate using the URLs in the Web pages for that site. They do not often allow you to browse the file directory structure of the site.

Understanding What it All Means

Now that we know what is causing the errors it is time to fix them. We will perform the solution by placing a couple of ErrorDocument handlers at the top of the .htaccess to pre-empt the WordPress .htaccess rules.

There are a couple of scenarios we will be preventing WordPress from handling. If there are 401 errors (directory authentication) it will send the user to an error page. If there is a 403 error code (a forbidden directory situation) it will send the user to an error document as well. The WordPress permalinks rule never gets processed and will be ignored for these two errors.

Editing the WordPress .htaccess is Simple Solution

The first thing you need to do is locate your WordPress directory. This is often either your www directory or public_html directory. Locate your .htaccess file and open it using any text editor. If you do not see this file you can simply create one using any text editor (such as Notepad on Windows).

Update the .htaccess file before the WordPress information and add the following two lines of code:

ErrorDocument 401 ./error.html
ErrorDocument 403 ./error.html

The finished .htaccess should look like:

ErrorDocument 401 ./error.html
ErrorDocument 403 ./error.html
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress


Victory!

Make sure your FTP program is set to upload as ASCII. Upload the .htaccess file to your home directory (often public_html or www). You can also upload an error.html to the root directory.

Attempt to access a directory that is password protected will now give you the popup box you were expecting in the first place, so you can enter your login credentials and gain access as normal.

We also learned how to process 401 and 403 errors in the process using Apache’s ErrorDocument directive using .htaccess in the process.

Tags: .htaccess, 401, 403, Apache, ErrorDocument, errors, How To, password protect, WordPress

This entry was posted on Wednesday, February 10th, 2010 at 10:00 am by Gino Gard and is filed under Coding. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.