Plugin misbehaving when WP installed into a subdirectory

Hi Sean,

I wonder if you can help me out with a problem I’ve encountered with your plugin. I’ve just installed a brand new WordPress site from scratch, and I’ve installed WP into a subfolder called “wordpress”, but with the site URL itself being the root folder (which is a fully supported configuration for WordPress, as per http://codex.ww.wp.xz.cn/Giving_WordPress_Its_Own_Directory).

So on the “General Settings” page, I have set the WordPress Address to http://www.example.com/wordpress and I have set the Site Address to http://www.example.com. Everything is working fine – I can log into the dashboard, I can browse the site correctly at http://www.example.com, etc etc.

Then I installed your Lockdown WP plugin (LWP). It’s literally the only plugin I have installed, and it was the very first thing I did – I haven’t configured anything else apart from the permalinks, which I have set to a custom structure of http://www.example.com/%postname%

(I have already used LWP on other sites without problem, where WP is installed into the root directory rather than into a subdirectory – today is the first time I’m doing it on a site with WP in a subdirectory).

On the LWP settings page, I enabled “hide WP Admin”, and I changed the login URL to “dashboard”. The plugin showed the subdirectory there as part of the URL, where it says “Change the WordPress Login URL? http://www.example.com/wordpress/ [________]”

I am *not* using HTTP Authentication.

Then I clicked Save, and logged out in order to test it.

The results I got were inconsistant, and I have a feeling that the plugin doesn’t work properly when WordPress is installed in a subdirectory. I hope you can check and confirm this for me, and fix it if necessary. 🙂

So here are the URLs I typed into my browser, while logged out of WP, and the results, and whether I find the results good or not:

1) http://www.example.com/wp-login.php -> gives 404 (good!)

2) http://www.example.com/wordpress/wp-login.php -> This works and displays the login panel, and does not change/hide the URL! (NOT good)

3) http://www.example.com/wp-admin/ -> redirects automatically to http://www.example.com/wordpress/wp-admin/ and gives 404 (good) – however, I’d prefer this not to redirect. It should stay at the original URL so it doesn’t give away the /wordpress/ subfolder where I’ve installed WP. It would be better for the redirection to work the other way around, ie. for http://www.example.com/wordpress/wp-admin to redirect to http://www.example.com/wp-admin and then give the 404. Or at the very least, there should be no redirection at all, and both URLs should give a 404.

4) http://www.example.com/wordpress/wp-admin/ -> gives 404 (good)

5) http://www.example.com/dashboard -> displays the login panel, as expected (good)

6) http://www.example.com/wordpress/dashboard -> redirects to http://www.example.com/wordpress/wp-admin/ and gives 404 (I would prefer that it redirects to http://www.example.com/dashboard and shows the login box)

7) http://www.example.com/admin -> redirects to http://www.example.com/wordpress/wp-admin/ and gives 404 – not good, as this exposes the wp-admin URL – and I’m surprised that /admin would redirect in the first place – is this URL something you’ve built into your plugin, or is it part of core WordPress functionality? It would be better for this to stay as http://www.example.com/admin and give a 404 there.

8) http://www.example.com/wordpress/admin/ redirects to http://www.example.com/wordpress/wp-admin/ and gives 404 – also not good as this exposes the wp-admin URL.

Now here’s the worst part: I then went to http://www.example.com/dashboard and logged in there via the login panel, and it immediately redirected me to http://www.example.com/wordpress/wp-admin/ and I get a 404 error!! Not good! Even though I did log in with correct credentials. So now I’m locked out of WP completely and can’t get in at all – even if I go back to the login panel and log in again, it just takes me back to http://www.example.com/wordpress/wp-admin and gives me a 404. The only way I can fix this is by removing the “lockdown-wp-admin” folder from /wp-content/plugins on the server (using FTP), and then it will let me log in again to the Dashboard. I’ve never had this problem on WordPress installations where WP is installed into the root directory, so I have to assume that the problem is with WP running out of a subdirectory.

Unfortunately this renders your wonderful plugin unusable by me, so I really hope you can fix it, as yours is by far the best plugin I’ve seen for hiding the URL of the login page (without using .htaccess or annoying “secret keys” etc).

I hope this all makes sense and you can check and confirm this for me!

Thanks! 🙂

http://ww.wp.xz.cn/extend/plugins/lockdown-wp-admin/