admin - How to enforce authentication for all resources?

I want to host a personal journal with wordpress. I don't want to share it with 3rd parties but I want to be able to access it from anywhere with my admin credentials. There are several plugins around which all do nothing but protect access to sites/posts - but everything else (/wp-content/ first and foremost) is still accessible without permissions.

So what I basically want is a check like for /wp-admin is required for each resource on my blog.

${SITE_URL}/.*

I know that I could just add some .htaccess basic authentication. But I want to avoid that.

I want to host a personal journal with wordpress. I don't want to share it with 3rd parties but I want to be able to access it from anywhere with my admin credentials. There are several plugins around which all do nothing but protect access to sites/posts - but everything else (/wp-content/ first and foremost) is still accessible without permissions.

So what I basically want is a check like for /wp-admin is required for each resource on my blog.

${SITE_URL}/.*

I know that I could just add some .htaccess basic authentication. But I want to avoid that.

• admin
• authentication

Share Improve this question edited Feb 18, 2019 at 9:04 Brettetete asked Feb 18, 2019 at 8:29 BretteteteBrettetete 11133 bronze badges 4

• "I don't want to share it with the public" - what about running it locally? – birgire Commented Feb 18, 2019 at 8:46
• @birgire - i don't want to share it with 3rd parties but want to be able to access it from everywhere with my admin credentials. – Brettetete Commented Feb 18, 2019 at 9:03
• Do you want to serve your uploads from a non public folder through PHP with a WordPress login? – birgire Commented Feb 18, 2019 at 9:10
• @birgire I basically just want to add the auth_redirect() function before accessing /wp-content/* – Brettetete Commented Feb 18, 2019 at 13:05

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

You should define which resources you want to protect. I think you have such choices:

1) Protect whole site

2) Protect only posts (without resources)

3) Protect posts & all resources (but only uploads, not wp-content! otherwise you will break your themes/plugins)

So, as you say you need 3rd way. In such case, you should use htaccess cookie-based redirection:

• Create htaccess in wp-content/uploads which restricts access to all urls there for users who doesn't have a cookie "cookie_name" set to value i.e. 'xyz':

  RewriteEngine On RewriteCond %{HTTP_COOKIE} !cookie_name=xyz; [NC] RewriteRule ^ https://your_site/authorization-page [NC,L]

• Create authorization-page where should be a form to insert a password (set whatever you want) and if user correctly enters password, then set cookie cookie_name to xyz.

p.s. just replace xyz and cookie_name with very random characters.