I maintain several WordPress-installations and I received the request to protect the wp-admin-subfolder with a second level of password protection using
.htaccess. Which makes a second user/password-query appear on the browser when trying to access the admin-folder. It works fine, no problem with that.
However, I’m also using the ‘Gallery Carousel Without JetPack‘-plugin to enable simple and nice full-screen galleries. It turned out, that this plugin is requiring
admin-ajax.php to request comments (via JQuery/Ajax) which are displayed for each image. As this file is located in the
wp-admin-folder all anonymous users (so all site-visitors) were prompted for username and password when opening any gallery.
I don’t know whether there is another/better way for plugins to fetch comments with Ajax, but to fix this problem on my site, I excluded the
admin-ajax.php from .htaccess-protection by adding
<Files "admin-ajax.php"> Allow from all Satisfy any </Files>
on the top of my
wp-admin/.htaccess– file. Brett Batie has made a nice short post about .htaccess-exclusions – though he forget to add the closing
</Files> to his single-file-example.
This is my complete .htacces-file now:
<Files "admin-ajax.php"> Allow from all Satisfy any </Files> AuthType Basic AuthName "Secure area" AuthUserFile /<absolute-path-to-wordpress-on-the-server>/wp-admin/.htpasswd AuthGroupFile /dev/null require valid-user