I've installed Wordpress on a bare Ubuntu20-04 box following Digital Ocean's guide. Now I want to password protect the entire site but as I can't find any plugins that protect uploaded files and images, I'm attempting to use basic auth.

So I've created a .htpasswd file

-rw-r--r-- 1 root root 132 Jan 12 00:07 /etc/wordpress/.htpasswd

I've edited /var/www/mysite/.htaccess (substituting a real domain for mysite) to read:

# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/wordpress/.htpasswd
require valid-user

But the site still loads happily without my desired ugly login prompts.
...what am I doing wrong?

Alternative solutions to basic auth are welcome but I thought that appeared to be the simplest route to protecting uploaded content. (it's for hosting info about an apartment block for the block's inmates and some things eg meeting minutes are semi-confidential - if people have to log in once per session to access the site I don't mind)

I've installed Wordpress on a bare Ubuntu20-04 box following Digital Ocean's guide. Now I want to password protect the entire site but as I can't find any plugins that protect uploaded files and images, I'm attempting to use basic auth.

So I've created a .htpasswd file

-rw-r--r-- 1 root root 132 Jan 12 00:07 /etc/wordpress/.htpasswd

I've edited /var/www/mysite/.htaccess (substituting a real domain for mysite) to read:

# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/wordpress/.htpasswd
require valid-user

But the site still loads happily without my desired ugly login prompts.
...what am I doing wrong?

Alternative solutions to basic auth are welcome but I thought that appeared to be the simplest route to protecting uploaded content. (it's for hosting info about an apartment block for the block's inmates and some things eg meeting minutes are semi-confidential - if people have to log in once per session to access the site I don't mind)

• htaccess

• Is .htaccess otherwise being processed? Do you have "pretty" permalinks? What is AllowOverride set to in the vHost for you site? – MrWhite Commented Jan 12, 2021 at 1:22
• I had ``` <Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>``` in my /etc/apache2/apache2.conf which is presumably where i was going wrong? – mholder Commented Jan 13, 2021 at 11:24
• 1 (Use single backticks for inline code in comments.) – MrWhite Commented Jan 13, 2021 at 11:37

2 Answers 2

Ok editing the default-ssl.conf as described here (or in my case /etc/apache2/sites-enabled/mysite-le-ssl.conf) to add auth settings to the end of the Virtual Host block works fine now. So it's now:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName mysite
    ServerAlias www.mysite
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/mysite
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/mysite/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mysite/privkey.pem
    <Directory "/var/www/mysite">
        AuthType Basic
        AuthName "Restricted Area"
        AuthUserFile /etc/wordpress/.htpasswd
        require valid-user
    </Directory>
</VirtualHost>
</IfModule>

The page also explains how to use .htaccess files by modifying AllowOverride.

I should probably comment on the guide I originally followed

I had <Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> in my /etc/apache2/apache2.conf which is presumably where i was going wrong?

If that is the only place where AllowOverride was defined then that would certainly be the problem. However, that would also mean that your .htaccess file was not being processed at all and you are not using WordPress permalinks.

However, that AllowOverride None directive covering the parent /var/www/ directory is not necessarily incorrect if you have an overriding AllowOverride All (or similar) directive that covers the /var/www/mysite/ directory in the relevant <VirtualHost> container - this would be the more usual configuration. You deny access for the parent directory and allow access for specific subdirectories.

<Directory /var/www/mysite/>
    Options -Indexes
    AllowOverride All
    Require all granted
</Directory>

Options -Indexes disables directory listings (mod_autoindex), which is enabled in the parent config.