How have I misconfigured basic auth for my wordpress site?

by

I’ve installed WordPress on a bare Ubuntu20-04 box following Digital Ocean’s guide.
Now I want to password protect the entire site but as I can’t find any plugins that protect uploaded files and images, I’m attempting to use basic auth.

So I’ve created a .htpasswd file

-rw-r--r-- 1 root root 132 Jan 12 00:07 /etc/wordpress/.htpasswd

I’ve edited /var/www/mysite.com/.htaccess (substituting a real domain for mysite)
to read:

# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/wordpress/.htpasswd
require valid-user

But the site still loads happily without my desired ugly login prompts.
…what am I doing wrong?

Alternative solutions to basic auth are welcome but I thought that appeared to be the simplest route to protecting uploaded content. (it’s for hosting info about an apartment block for the block’s inmates and some things eg meeting minutes are semi-confidential – if people have to log in once per session to access the site I don’t mind)

2 Answers
2

Ok editing the default-ssl.conf as described here (or in my case /etc/apache2/sites-enabled/mysite.com-le-ssl.conf) to add auth settings to the end of the Virtual Host block works fine now.
So it’s now:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName mysite.com
    ServerAlias www.mysite.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/mysite.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/mysite.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
    <Directory "/var/www/mysite.com">
        AuthType Basic
        AuthName "Restricted Area"
        AuthUserFile /etc/wordpress/.htpasswd
        require valid-user
    </Directory>
</VirtualHost>
</IfModule>

The page also explains how to use .htaccess files by modifying AllowOverride.

I should probably comment on the guide I originally followed

Leave a Comment