Skip to main content
We’ve updated our Terms of Service. A new AI Addendum clarifies how Stack Overflow utilizes AI interactions.
Server Fault

Return to Question

deleted 1 character in body
Source Link
Kzqai
Kzqai
  • 1.3k
  • 6
  • 18
  • 34

Given a administrative area with urls like this:

wp-admin/ wp-admin/whatever wp-admin/another-page wp-adminsecretlogin/

A standard basic-auth coverage would provide a username and password prompt on all three urls, and return a 403 on all failed auth attempts. This is a pretty obvious signal that something exists there, and thus is an invitation to script/brute force access.

I would like to instead, require basic auth everywhere, but when not authenticated, not prompt for username and password, and instead return a 404 not found error for all urls except a wp-adminsecretlogin/ url. At that individual-to-the-site url, basic auth could go through, and unlock the rest of the administrative functionality (though the standard application login would still be necessary).

How would I do that via apache .htaccess or .conf directives?

Given a administrative area with urls like this:

wp-admin/ wp-admin/whatever wp-admin/another-page wp-adminsecretlogin/

A standard basic-auth coverage would provide a username and password prompt on all three urls, and return a 403 on all failed auth attempts. This is a pretty obvious signal that something exists there, and thus is an invitation to script/brute force access.

I would like to instead, require basic auth everywhere, but when not authenticated, not prompt for username and password, and instead return a 404 not found error for all urls except a wp-adminsecretlogin/ url. At that individual-to-the-site url, basic auth could go through, and unlock the rest of the administrative functionality (though the standard application login would still be necessary).

How would I do that via apache .htaccess or .conf directives?

Given a administrative area with urls like this:

wp-admin/ wp-admin/whatever wp-admin/another-page wp-adminsecretlogin

A standard basic-auth coverage would provide a username and password prompt on all three urls, and return a 403 on all failed auth attempts. This is a pretty obvious signal that something exists there, and thus is an invitation to script/brute force access.

I would like to instead, require basic auth everywhere, but when not authenticated, not prompt for username and password, and instead return a 404 not found error for all urls except a wp-adminsecretlogin/ url. At that individual-to-the-site url, basic auth could go through, and unlock the rest of the administrative functionality (though the standard application login would still be necessary).

How would I do that via apache .htaccess or .conf directives?

added 391 characters in body
Source Link
Kzqai
Kzqai
  • 1.3k
  • 6
  • 18
  • 34

Given a administrative area with urls like this:

wp-admin/ wp-admin/whatever wp-admin/another-page wp-adminsecretlogin/

A standard basic-auth coverage would provide a username and password prompt on all three urls, and return a 403 on all failed auth attempts. This is a pretty obvious signal that something exists there, and thus is an invitation to script/brute force access.

I would like to have the serverinstead, require basic auth everywhere, but when not authenticated, not prompt for username and password, and instead return a 404 not found error for all urls except an initiala wp-adminsecretlogin/ url. At that individual-to-the-site url, and then require basic auth could go through, and unlock the rest of the administrative functionality (as per standards .htpasswd authentication) on that url. After a successful authentication, I would like to allow full viewing access to allthough the admin urls thereafterstandard application login would still be necessary).

How would I do that via apache .htaccess or .conf directives?

Given a administrative area with urls like this:

wp-admin/ wp-admin/whatever wp-adminsecretlogin/

I would like to have the server return 404 for all urls except an initial wp-adminsecretlogin/ url, and then require basic auth (as per standards .htpasswd authentication) on that url. After a successful authentication, I would like to allow full viewing access to all the admin urls thereafter.

How would I do that via apache .htaccess or .conf directives?

Given a administrative area with urls like this:

wp-admin/ wp-admin/whatever wp-admin/another-page wp-adminsecretlogin/

A standard basic-auth coverage would provide a username and password prompt on all three urls, and return a 403 on all failed auth attempts. This is a pretty obvious signal that something exists there, and thus is an invitation to script/brute force access.

I would like to instead, require basic auth everywhere, but when not authenticated, not prompt for username and password, and instead return a 404 not found error for all urls except a wp-adminsecretlogin/ url. At that individual-to-the-site url, basic auth could go through, and unlock the rest of the administrative functionality (though the standard application login would still be necessary).

How would I do that via apache .htaccess or .conf directives?

Source Link
Kzqai
Kzqai
  • 1.3k
  • 6
  • 18
  • 34

Apache: Stealth 404 the admin area until authenticated via basic auth, then allow access

Given a administrative area with urls like this:

wp-admin/ wp-admin/whatever wp-adminsecretlogin/

I would like to have the server return 404 for all urls except an initial wp-adminsecretlogin/ url, and then require basic auth (as per standards .htpasswd authentication) on that url. After a successful authentication, I would like to allow full viewing access to all the admin urls thereafter.

How would I do that via apache .htaccess or .conf directives?