Flaw in generated error page? | Peter's Custom Anti-Spam for WordPress | Forum
Back to the custom anti-spam plugin page
Log In
Home
Topic RSS
8:53 pm
Installed/updated to the latest Anti-Spam plugin. Here is the problem:
One of the recommended security measures is to password-protect the wp-admin folder (via .htaccess).
When the Anti-Spam generates the WP Error page (say, if you didn't enter the spam word), a password prompt will pop up because the error page is requesting wp-admin/css/install.css in it's HTML, which it can't get from the password protected directory.
I assume this is a flaw with WP or does the Anti-Spam plug-in only generate this type of WP Error page?
Apologize if this has already been answered. Appreciate any help/info.
9:09 pm
Offline
Good catch. The plugin uses the standard WordPress function wp_die. You'll probably get the same behavior if you don't enter a name or e-mail address along with the comment. The wp_die function is defined in wp-includes/functions.php and you'll see that it has the CSS file hard-coded (and also that WordPress recommends using it over the die function). So I'll have to chalk it up to a WordPress design flaw.
You can get around this by either hacking the functions.php file to use a different CSS file in the wp_die function, or changing all instances of wp_die in my plugin to simply use the die function. You'll just get a plainer error message display.
12:22 am
I assume there is an .htaccess statement we can add to the .htpasswd statement that will make it exclude the .css file in the wp-admin directory? Would that work?
1:04 pm
Offline
Sadly I don't know of a way to exclude certain files from the .htpasswd umbrella. If there is a way to do that, I would love to hear about it. I can't think of a non-hackish solution at the moment.
5:16 pm
Also posted this question here:
http://wordpress.org/support/t.....pic/223669
but so far no help. :(
12:41 am
Offline
You should file a bug report for that as well.
Supposing your site is http://www.yoursite.com, and that you have your .htaccess file specifying the password protection in http://www.yoursite.com/wp-admin, you can copy wp-admin/css/install.css to the root of your directory and then add this rewrite rule to the top of your .htaccess file in wp-admin:
RewriteEngine On
RewriteRule ^css/install\\.css http://www.yoursite.com/install.css [L]
10:30 pm
I don't really understand the hostility from Otto42 the Wordpress.org moderator in the Wordpress Support thread when I asked about this issue.
Can I assume his view is the official WP view that this isn't a "bug"?
Are all support threads at WP that "helpful"? :(
10:33 pm
Offline
Sorry that he’s giving you such a hard time. I don't think extra security practices should be brushed off.
Did you try the fix I suggested?
1:02 pm
Thanks for the suggestions and help. Will try out your fix once I update (both WP and your plugin). ;)
11:49 pm
I just encountered this problem. I posted another solution this in http://wordpress.org/support/t.....pic/223669 and wanted to post here as well.
If you have mod_access loaded, you can exclude a specific file(s) from authentication.
In the .htacess in wp-admin, add the following before the authorization rules:
# Allow access to install.css & install-rtl.css for wp_die()
SetEnvIf Request_URI "/css/install\\.css$" css_only
SetEnvIf Request_URI "/css/install-rtl\\.css$" css_only
Then right after the:
Order Allow,Deny
Add:
Allow from env=css_only
Additional files can be added as necessary. Or, if you want to allow access to all .css files , use:
SetEnvIf Request_URI "\\.css$" css_only
