Earlier today I received an email from an irate commentator, accusing me of spamming him and threatening to report me. He was receiving emails from my blog, via the Subscribe To Comments plugin, but he thought couldn’t unsubscribe. The cause: my wp-admin folder is password protected.
As it happens, the commentator had successfully blocked notifications from my site. However, he thought he hadn’t because he received a username / password prompt when he clicked the Unsubscribe link in the email.
Cause – Subscribe To Comments Calling Wp-admin.css
I wasn’t sure why this was happening. The URL used for the Unsubscribe link didn’t appear to be going to the wp-admin folder and I couldn’t see any reason why it would need to. I rolled my sleeves up and jumped into the Subscribe To Comments code. I quickly found the reason on line 951 (in version 2.1.2):
@import url( <?php echo get_settings('siteurl'); ?>/wp-admin/wp-admin.css );
The plugin is calling a CSS file from the wp-admin folder, which invokes the password prompt. As the user doesn’t know the password, they will probably click Cancel and the CSS file will not be served.
This CSS file is only used to style the Unsubscribe page. It does not affect the functionality of the Unsubscribe / Block function. It will continue to run and will unsubscribe the user. The only negative outcome will be it won’t look quite as nice. Well, not the only negative outcome:
The user will be confused as hell because of the password prompt.
Solution – Excluding Wp-admin.css From Protection
I had to resolve this issue. The easiest solution would have been to just hack the code of the Subscribe To Comments plugin and remove the call to the CSS file. However, if the plugin is ever updated, then it would have overwritten my hack and we’d be back where we started.
The sensible alternative seemed to be to exclude the wp-admin.css file from the password protection. A CSS file is highly unlikely to be used in any attack on my site.
There didn’t seem to be anyway to exclude the file via CPanel, but I knew there’d be a way to do it by editing.htaccess. I’m no .htaccess expert, so I did a search on the topic, finding the answer in Brett Batie’s Password Protect All but One File post.
That post tells you how to exclude a file in general terms, so here are the instructions for excluding wp-admin.css file.
Go to the wp-admin folder (make sure it is the wp-admin folder) on your server and edit the .htaccess file. It will probably look something like:
AuthType Basic AuthName "Authorised Only" require valid-user AuthUserFile "<path-to-site-root>/wp-admin/passwd"
Leaving the first 4 lines exactly the same, add the following 4 lines directly after them:
<Files "wp-admin.css"> Allow from all Satisfy any </Files>
That’s telling Apache to allow access to wp-admin.css. The final .htaccess (in the wp-admin folder), should look something like:
AuthType Basic AuthName "Authorised Only" require valid-user AuthUserFile "<path-to-site-root>/wp-admin/passwd" <Files "wp-admin.css"> Allow from all Satisfy any </Files>
Problem solved. My visitors can now unsubscribe again (though why would they want to!). I still have the hardened security provided by password protecting the wp-admin folder. I haven’t had to hack Subscribe To Comments, which would cause problems when the plugin is upgraded.
Mark Jaquith, if you read this, many thanks for a great plugin - but could you consider copying the wp-admin.css file into the plugin folder and calling it from there? I’m fine with you making this post redundant!
Last updated on July 20th, 2011