Basic Auth .htaccess but allow specific URL to pass through

[WorkinOnIt]

I use a htaccess basic auth on my Woocommerce site to help prevent bots accessing wp-login, which works well... except with woocommerce if a logged in customer wants to logout from their account - upon clicking the logout link - they are greeted by the Basic Auth popup asking them to "authorise" (generated by our htaccess).

On Woocommerce dashboard: the link looks like this:

Hello MrTest (not MrTest ? Log out) << clicking on Log out brings up the Basic Auth login box.... how can we avoid that ?

Here is the content of our htaccess:

AuthName "Authorized"
AuthType Basic
AuthUserFile /home/user/.pswrdfile
require valid-user

In WooCommerce settings, the Logout endpoint is: "customer-logout" and the logout link URL shows:

www.example.com/shop/my-account/customer-logout/?_wpnonce=2e343434

So how to change the htaccess to allow "wp-login.php?action=logout" to pass through the basic auth?

I tried this but it fails to work; I have Apache server with cPanel latest versions.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-login.php$
RewriteCond %{QUERY_STRING} ^action=logout
RewriteRule ^ - [E=noauth]
</IfModule>

<FilesMatch "^(wp-login.php)">

AuthName "Protected page"
AuthType Basic
AuthUserFile "/home/user/.pwrdfile"
Require valid-user

Order Deny,Allow
Deny from all
Allow from env=noauth

Satisfy any

</FilesMatch>

 

[cPanelLauren]

To clarify, these are customers logged in to the wordpress backend correct? I'd think that the only way to prevent that password protection from popping up would be to redirect the user elsewhere on logout. Redirecting them to wp-login on logout would prompt the password auth otherwise any time an unauthenticated user lands on that page they will be prompted.

The following might be helpful:

mod_rewrite - Apache HTTP Server Version 2.4

mod_authn_core - Apache HTTP Server Version 2.4

 

[WorkinOnIt]

Hi @cPanelLauren thanks for your reply and suggestion.

To clarify, these are customers logged in to the wordpress backend correct?

Technically yes as they are logged in as WooCommerce shop customers - but without access to wp-admin.

I'd think that the only way to prevent that password protection from popping up would be to redirect the user elsewhere on logout.

That is an interesting idea. I have experimented with various options, however it seems in order to logout, the WordPress URL /wp-login.php&action=logout must be called - therefore always triggering the htaccess prompt.

What would be the best way to redirect prior to that basic auth showing up?

 

[cPanelLauren]

Hi @WorkinOnIt


Albeit I'm not an expert on this specific issue, but I think this can be done easiest in the functions.php for the theme:

add_action('wp_logout','auto_redirect_after_logout');
function auto_redirect_after_logout(){
  wp_redirect( site_url() );
  exit();
}

home_url or site_url can be replaced by an external URL as well.

 

[WorkinOnIt]

Hi @cPanelLauren

Thanks for your suggestion - sadly it didn't work - because the wp-login.php launches before the redirect you've mentioned.

So - how about taking a different track?

Could it be possible to modify the .htaccess <FilesMatch> directive to precisely target the "wp-login.php" file , but ignore the longer quesrystring ( "wp-login.php?action=logout&redirect_to" ??

I tried the following but not working... suggestions?

<FilesMatch "^(wp-login.php)">
AuthName "Protected page"
AuthType Basic
AuthUserFile "/home/user/.pwrdfile"

require valid-user

Order Deny,Allow
Deny from all
#Allow from 192.168.64.5   # developers IP address
Allow from wp-login.php&action=logout  #<<<<<<<<<<< how to construct this ?

Satisfy Any 

</FilesMatch>

 

[cPanelLauren]

Possibly? This is something that would be more geared towards a system administrator or developer though.