December 28th, 2012, 12:02 AM
-
Advice on securing a template page in WordPress using .htaccess
All-
I have a localhost WordPress (WP) install running on Mac OS 10.7.5 via MAMP:
Apache 2.2.22
MySQL 5.5.25
PHP 5.2.17 & 5.4.4
APC 3.1.9
eAccelerator 0.9.6.1
XCache 1.2.2 & 1.3.2
phpMyAdmin 3.5.1
SQLiteManager 1.2.4
Freetype 2.4.8
t1lib 5.1.2
curl 7.24.0
jpeg 8d
libpng-1.5.7
gd 2.0.34
libxml2 2.7.8
libxslt 1.1.26
gettext 0.18.1.1
libidn 1.17
iconv 1.14
mcrypt 2.6.8
YAZ 4.0.1 & PHP/YAZ 1.1.3
These are my installed plugins:
Akismet
BackUpWordPress
Custom MetaWidget
Duplicator
Page Security by Contexture
Role Scoper
WordPress Importer
HTTP Authentication
I am using Twenty Eleven with a custom child theme. I want to secure a given page with URL http://localhost/wordpress/?page_id=2 which was created using a default sidebar-page.php template, or a custom template.
In other words I would like to use .htaccess to secure this page which contains a simple text-field form (.htaccess is the best way I know of working with my custom form); for example when I try to secure <Files wp-login.php> it works fine and a custom login appears for a username. I can also take my form, embed it in a PHP web page outside of WordPress and secure it using .htaccess...but then I lose my header, menu and footer.
*But* when I create a custom template and secure it using <Files custom-template.php> within a .htaccess file I am still able to type in data into the form and there is no prompt for login--in other words the page is unsecured.
I've search the forum, the WP forum and Google with no luck. It's not clear how a custom template, or the sidebar-page.php template can be secured. If that's not possible, I'm wondering how to create a new page (i.e. without using WP "Pages") that can be made to look like a page within WP. In other words, how could I add the header.php file and the main menu to a page outside of WP, or is that even worth the effort?
Advise is greatly appreciated.
Tom
December 28th, 2012, 09:58 AM
-
As far as I know you can't define rules in a .htaccess file that apply only to URLs containing certain query string values. Defining a rule for the custom template file doesn't work because the HTTP request isn't being sent to the template file, it's being sent to index.php.
The best approach here is going to be to do the password protection from PHP instead of using Apache for it. You might even be able to find a WordPress plugin that will let you password protect pages.
PHP FAQ
Originally Posted by Spad
Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
December 28th, 2012, 10:21 AM
-
Not sure in which way you want to secure it (password ipaddress etc and for who?) But can't you make a condition in your template that redirects people to the index.php if they are not logged in (or any other thing to allow access). here draft of the idea
PHP Code:
<?php
$specialpages = array(2,4,5,6,8); // some pages you want to secure (better store this is a database)
if(isset($_GET['page_id']) && in_array($_GET['page_id'], $specialpages)){//check if the pag_id is special
//if so check credentials
if(is_user_logged_in()){
// you have access
}else{
header("Location: http://www.example.com/"); // redirect them
exit();
}
}else{
//move along nothing here
}
?>
P.s. if you are able to move to a different CMS, you might want to try out joomla, it has already has access levels
P.p.s I changed the code and used wordpress's own function to check if the user is logged in.
Last edited by aeternus; December 28th, 2012 at 10:44 AM.