Roy
(@gangleri)
Go to your control panel (PHPmyAdmin, whatever you have) and delete the AskApache lines from ALL htaccess files (WP root, admin folder, etc.). That should undo everything that the plugin did.
Thread Starter
749831
Yes I do have a (PHPmyAdmin) but I dont see any askapache lines on my htaccess file. Is there a specific folder that askapache may exist other than the htaccess file.
Roy
(@gangleri)
It changes the htaccess in the root, makes one in each folder you selected to protect (wp-admin, etc.) and of course makes the password files. Did you already activate the plugin, made a username, selected the folders and files to protect, etc.?
Thread Starter
749831
You I didnt even need the plugin because my hosting account already provides a “password protect option” so I created the password protection with them. It does the same thing as apache password protector.
For everyone who likes to add that extra layer of security make sure you check with your hosting account first and see if they offer that option because its so much easier and not a lot of hassle.
Hope this helps everyone out there who is struggling with this issue.
Roy
(@gangleri)
I can’t make an existing folder password protected, but AskApache does a lot more than just password protect the admin folder! Just look at the options:
700 Directory Protection
Enable the DirectoryIndex Protection, preventing directory index listings and defaulting. Disable
800 Password Protect wp-login.php
Requires a valid user/pass to access the login page – *** Safe, Use. 401
900 Password Protect wp-admin
Requires a valid user/pass to access any non-static (css, js, images) file in this directory. – *** Safe, Use. 401
1000 Protect wp-content
Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes 401
1010 Protect wp-includes
Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes 403
1011 Common Exploits
Block common exploit requests with 403 Forbidden. These can help alot, may break some plugins. 403
1012 Stop Hotlinking
Denies any request for static files (images, css, etc) if referrer is not local site or empty. 403
1015 Safe Request Methods
Denies any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD – *** Safe, Use. 403
1017 Forbid Proxies
Denies any POST Request using a Proxy Server. Can still access site, but not comment. See Perishable Press 403
1018 Real wp-comments-post.php
Denies any POST attempt made to a non-existing wp-comments-post.php – *** Safe, Use. 403
1019 HTTP PROTOCOL
Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only – *** Safe, Use. 403
1020 SPECIFY CHARACTERS
Denies any request for a url containing characters other than “a-zA-Z0-9.+/-?=&” – REALLY helps but may break your site depending on your links. 403
1021 BAD Content Length
Denies any POST request that doesnt have a Content-Length Header – *** Safe, Use. 403
1022 BAD Content Type
Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data – *** Safe, Use. 403
1023 Directory Traversal
Denies Requests containing ../ or ./. which is a directory traversal exploit attempt – *** Safe, Use. 403
1025 NO HOST:
Denies requests that dont contain a HTTP HOST Header. – *** Safe, Use. 403
1026 Bogus Graphics Exploit
Denies obvious exploit using bogus graphics – *** Safe, Use. 403
1027 No UserAgent, No Post
Denies POST requests by blank user-agents. May prevent a small number of visitors from POSTING. 403
1028 No Referer, No Comment
Denies any comment attempt with a blank HTTP_REFERER field, highly indicative of spam. May prevent some visitors from POSTING. 403
1029 Trackback Spam
Denies obvious trackback spam. See Holy Shmoly! 403
1030 SSL-Only Site
Redirects all non-SSL (https) requests to your https-enabled url 301
Just a simple example, your /wp-login.php?loggedout=true will not be protected by putting the wp-admin behind a password.
Thanks for the props Gangleri, I’m a day or 2 away from releasing a major update that won’t let people shoot themselves in the foot anymore.
Its pretty amazing how well it works. I had it turned off for about 8 hours while I was working on it, and when I checked back in to activate I had received over 500 spams! Each one of the akismet found spams uses my limited server connections, cpu for each instance of php and mysql, and slows everyone else down. With the anti-spam research I and a few other people are doing for this plugin, its really going to be nice.
Theres just this whole issue of “coding” the dan thing, which I struggle with but enjoy. This next upgrade is a good one.
BTW, I should probably mention that most of the modules installed in the plugin currently were mostly just cut-and-pasted from my personal .htaccess files. I’ve been recording and researching various spam using honeypots for the last couple of weeks specifically to find anti-spam and also anti-automated web exploit requests.
And I’ve added support for HTTP Digest password authentication like that used by the OpenID systems. Theres a lot planned and a lot to do cuz this really does help the net.
