|
Karla
|
January 2, 2014 at 7:25 pm
I’ve got my WordPress admin area protected with a simple .htaccess password authentication. Only admins ever need to log in so it’s worked fine for the last year.
However, after this last Calendar plugin update, regular visitors are being prompted for the password. I looked at the source code and the Calendar is making a call to a file located here: wp-admin/admin-ajax.php !
I’ve been a fan of event espresso for a long time, but this shocking and disappointing. It’s bad coding to make external calls to the wp-admin folder.
I’ll have to see if I can get a ‘limit post’ directive going instead to protect the admin area. Any chance of fixing this Calendar change?
|
|
Dean
|
January 3, 2014 at 1:49 am
Hi Karla,
Thanks for the feedback, and I am sorry for your disappointment.
We are actually following WordPress guidelines for AJAX, as outlined here – http://codex.wordpress.org/AJAX_in_Plugins#Ajax_on_the_Viewer-Facing_Side
While we agree that perhaps WordPress should change the location of that file, it is required for AJAX to function, so is a necessary part of the code.
|
|
Josh
|
January 3, 2014 at 8:25 am
Hi Karla,
The WordPress codex has some good information that relates to the issue you’re having. This is from the “Hardening WordPress” article:
Simply securing the wp-admin/ directory might also break some WordPress functionality, such as the AJAX handler at wp-admin/admin-ajax.php. See the Resources section for more documentation on how to password protect your wp-admin/ directory properly.
The resources that I think they’re referring to are these:
http://httpd.apache.org/docs/2.2/howto/auth.html
http://kuttler.eu/post/htaccess-protect-wordpress-admin/
The first one shows how to password protect directories with the .htaccess file. The second one shows how to whitelist the Ajax handler.
|
|
Karla
|
January 3, 2014 at 7:11 pm
I didn’t realize that WordPress had the ajax file like that. I apologize.
I appreciate the links. For anyone else with this same problem, I ended up putting this in my site’s main .htaccess files (in the site document root), it protects just the wp-login.php:
<Files wp-login.php>
AuthType Basic
AuthName "Password protected"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
</Files>
The only thing I've found that it causes problems for are password protected posts. However, my site doesn't use those anymore, so it's fine for my needs.
Thanks!
|
|
Dean
|
January 6, 2014 at 1:19 am
Hi,
“I didn’t realize that WordPress had the ajax file like that. I apologize.”
No need to apologize, WordPress is a complicated beast behind the scenes and we all learn something new about it every day.
And thank you for sharing your solution!
|
