The “HttpAuth” command allows you to manage users with permission to access pages protected by the HTTP authentication method, in addition to controlling the activation of this additional security layer in the tools access pages such as phpMyAdmin and wp-admin or wp-login. Basically it is to protect some sections of your site requesting a user and password to be able to access its content.
If you want to know a little more about this method of authentication, you should read the Wikipedia article about Basic Access Authentication.
sudo httpauth <option>
# Create user sudo httpauth -add # Disable WP Auth sudo httpauth example.com -wp-admin=off # Protect a folder/file sudo httpauth example.com -path=/folder
To create a user and password for access to sections protected with HTTP Authentication, use this command.
sudo httpauth -add
# Tip - For unattended scripts. sudo httpauth -add=[user,password]
You can also create a user with limited permissions to access only one specific domain.
sudo httpauth example.com -add
After you have created one or more users for a specific domain ONLY these users will be allowed to access this domain, users with global access will be disabled in this site.
To delete a user use the following command.
sudo httpauth -delete
# Tip - For unattended scripts. sudo httpauth -delete=user # Remove user from a specific domain. sudo httpauth example.com -delete
Lists from anything
Displays a list of all users created with access to HTTP Authentication.
sudo httpauth -list
# To list users from an specific domain. sudo httpauth example.com -list # To list all the protected paths, areas or folders. sudo httpauth example.com -list=protected # To list all the whitelisted IP's. sudo httpauth -whitelist -list
HTTP Authentication in WordPress Login
By default in the initial
The reason for having this double authentication for access to the management sections of WordPress, although we know that HTTP Authentication is not the most reliable method of security, it is due to the large number of automated attacks that receive this type of pages and also very simple to implement and use by end users.
If you have a WordPress site that already has some time online just go and check your access logs in the server, I am sure you will find a considerable number of failed attempts to access this section. Because they are automated “bots” that randomly crawl almost the entire web, when they find this extra layer of security they lose interest and continue on their way.
It is worth mentioning that this type of security will not protect you from more sophisticated attacks or someone with a genuine interest and knowledge to perform this type of malicious attacks. Security is a very serious issue and if you consider that your server and website contains sensitive data or information, it is advisable to go with a security expert.
WordPress REST API, Applications Password, and XML-RPC may not work when Basic Auth is enabled. Additional settings may be required.
We know that sometimes this extra layer of security can be annoying for some users, if you need to enable/disable (on/off) the HTTP Authentication in WordPress login pages in an existing site:
sudo httpauth example.com -wp-admin=off
- This feature can be disabled in Webinoly Configuration File.
- You can whitelist your IP’s to selectively skip the authentication.
Protect a custom folder or file
You can put under HTTP Authentication any folder or file.
sudo httpauth example.com -path=/folder
-path=/ to protect a complete site or domain.
You can also use the
-exact option to define an exact match of URI and location.
What the "EXACT" option does? Take this path: /news https://example.com/news (match) https://example.com/news/local/our-city (match) If you use the "EXACT" option: https://example.com/news (match) https://example.com/news/local/our-city (no-match)
# To protect a specific file the exact option should be used: sudo httpauth example.com -path=/folder/file.php -exact # Subfolder site support sudo httpauth example.com -path=/one/folder/ -subfolder=/one
If you omit the
-subfolder parameter for a path that is inside a subfolder site it will result in unexpected redirects especially in PHP and WP sites.
To remove a folder or file from the protected list just use the
# Remove folder sudo httpauth example.com -path=/folder -purge # Remove everything sudo httpauth example.com -path=all -purge
-exact parameter is not needed when
-purge, it will just remove every path that match.
To add an IP to the secure list and don’t be asked for your credentials every time HTTP Authentication is required.
sudo httpauth -whitelist
Or you can also pass the IP directly:
sudo httpauth -whitelist=10.126.196.2
You can pass multiple values using “comma” as delimiter:
sudo httpauth -whitelist=18.104.22.168,22.214.171.124
If you want to remove a previously added IP.
sudo httpauth -whitelist -purge
If you have any suggestions, ideas, or comments, or if you (gasp!) found a bug, join us in the Community Forum.