Exclude Directories From Mod Rewrite

If you installed WordPress in your root directory, there is a good possibility you may have lost access to other files and directories. WordPress’ rewrite rules may have prevented you from accessing those files. Instead, it’s displaying 404 errors.

To fix this issue, you will need to insert a line of regular expression code in your .htaccess file that will exclude your files and directory from being rewritten.

A typical WordPress .htaccess may look like this.

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Here’s the new .htaccess that will exclude certain directories.

RewriteEngine On
RewriteBase /
<strong>RewriteCond %{REQUEST_URI} !^/(foldername|foldername/.*)$</strong>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

It’s a simple fix, but it can be frustrating if you don’t know what’s going on.

My WordPress Multi-Site .htaccess File

I just solved my WordPress multi-site problem. I have several blogs located in the subdirectories of this blog. The problem was the media files for my sub-blogs were all broken. If you are aware of the WordPress multi-site setup, WordPress creates a blog.dir directory under wp-content. This is where it keeps all of the uploaded media files such as: images, video, etc for the sub-blogs.

The issue was began when my .htaccess file was overwritten or possibly replaced. At first, I thought it was just an issue with the WordPress options pages which is stored in the wp-options table. But, that wasn’t the case. A quick search in the WordPress forums solved that problem. So, I’m writing this article for two reasons: (1.) So others can benefit, (2.) so I have a record of this fix somewhere.

So, here’s my .htaccess file.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
# uploaded files
RewriteRule ^(.*/)?files/$ index.php [L]
RewriteCond %{REQUEST_URI} !.*wp-content/plugins.*
RewriteRule ^(.*/)?files/(.*) wp-includes/ms-files.php?file=$2 [L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ – [L]
RewriteRule  ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule  ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]
# END WordPress

WordPress Blogs Hacked Via Config File

A number of WordPress blogs hosted at Network Solutions were hacked according to ZDNet. A malicious hacker was able to create a script that scanned for WordPress config files which contain MySQL database credentials in plain text.

WordPress config files should only be read by Apache only with permissions of 750. Most users have their permissions set to 755. WordPress users should set their permissions to 750 to avoid from being hacked.

Another way of protecting WordPress config files is to use .htaccess. Add the following code to your .htaccess file.

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all

WordPress and Password Protected Directories

I think I just solved an issue with WordPress Permalinks and password protected directories that use Apache’s .htaccess. Here’s the problem in detail. I have WordPress installed on the root of my domain. Under that domain, I have a directory that I want password protected using .htaccess. It’s just a directory containing a few PHP scripts. Every time I try to access the password protected directory, I get a 404 page missing error. WordPress is confused thinking the directory is a post or a page. Since it’s not, it generates a 404 error instead.

The workaround for this is to place a couple of error codes at the top of the .htaccess to pre-empt the WordPress .htaccess rules. There are a couple of scenarios. If there is 401 situation, an authentication in this case, it will send the user to the error document which is just a blank html file. The WordPress permalinks rule never gets processed or is ignored. If there is a 403 error code, a forbidden situation in this case, it will send the user to that error document as well.

Here is the working .htaccess file. You will see the two error code rules at the top of the file. Underneath, you will see the standard WordPress permalinks rules.

ErrorDocument 401 ./blank.html
ErrorDocument 403 ./blank.html
# BEGIN WordPress
&lt;IfModule mod_rewrite.c&gt;
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Simple fix. Thanks to aiso.net.

Prevent Others From Hotlinking

You can stop others from hotlinking on your site with the use of the .htaccess file in Apache. Hotlinking is when others are directly linking to an image or a file on your server. It’s bad because, they are using your server’s resources and bandwidth for free. You can edit your .htaccess file usually located in your root directory. If you don’t have one, just create one. It must start with a period, .htaccess. Enter this code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpe [L]

Read more.

Maintenance Page Using .htaccess

If you own a website, there are times you need to bring your site down for maintenance or repair. Instead of the ugly 404 page not found, a nicely crafted maintenance page is ideal for your users to see. Enter .htaccess, a powerful Apache configuration file capable of many powerful functions. It can perform authorization or authentication, redirects, custom error messages, and cache control. This article explains how to create a custom error message. The  .htaccess file contains code to redirect your users to your maintenance page. In short, it uses .htaccess rewrite rule and even restricts viewing to a certain IP addresses. In this case it allows the admin to see the website as he would normally, while the rest will get a visually appealing maintenance page.

Password Protect Using Htaccess

The easiest way to protect a web directory is to use a .htaccess file. A .htaccess file is a directory level configuration file used by several web servers including the highly popular Apache. The .htaccess file is placed in a web directory and the commands in the file controls the behavior of that directory.

A .htaccess file is used mainly for 3 purposes: authentication, the re-writing of URLs and cache control. Today, I’ll show you how to password protect a web directory using the .htaccess file.

Step 1
First, create a .htpasswd file. For security purposes, place the .htpasswd file outside of your web directory. You can place it anywhere in your file system, but your home directory is probably the best place for it. To create a .htaccess file, issue this command in your Terminal:

# sudo htpasswd -bc /home/ulysses/.htpasswd username password

The htpasswd command will create a file called .htpasswd in your home directory. The period at the beginning of the file denotes that it is a hidden file. You can view it by issuing a “ls -a” command from your Terminal. Don’t forget to supply your own username and password.

Step 2
Next, make a .htaccess file in the web directory that you want protected. In this example, we will password protect a web directory located in /var/www/widget.

# cd /var/www/widget
# vi .htaccess

Type in the following code in the .htaccess file.

AuthUserFile /home/ulysses/.htpasswd
AuthName EnterPassword
AuthType Basic
<Limit GET POST>
require valid-user

Save the file and open your browser and check if the web directory is password protected. You should see something similar to this from your browser.