Allow Timthumb to work in a htpasswd protected WordPress

I have a domain I use for development purposes. In this domain I have several subdirectories with different wordpress installations.
To hide the whole area I made a simple htpasswd protection in the root.

Now I have one of this WordPress in the domain that uses timthumb library to resize images, and due to the htpasswd, I get “NetworkError: 400 Bad Request” instead of the image.

Read More

This is an example of the request that gets the error

http://subdomain.domain.com/WP/wp-content/plugins/plugin-directory/timthumb.php?src=http%3A%2F%2Fsubdomain.domain.com%2FWP%2Fwp-content%2Fuploads%2F2015%2F01%2F012015_valentines_hp_budvase.jpg&w=300&h=620&zc=1

Is there a way to bypass the protection only for that file?

More details on my paths to better read my .htaccess snippets:

  • I’m in a subdomain pointed to a subdirectory called ‘subdomain_folder’
  • .htaccess I’m working on is located in ‘subdomain_folder’
  • WP is in a subdirectory called ‘WP’ inside ‘subdomain_folder’
  • Complete Path to WP: ‘/home/some-folder/public_html/subdomain_folder/WP
  • Complete Path to Uploads: ‘/home/some-folder/public_html/subdomain_folder/WP/wp-content/uploads

I tried this:

SetEnvIf Request_URI "^/WP/wp-content/plugins/plugin-dir/timthumb.php$" allow
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/home/some-folder/.htpasswds/public_html/subdomain_folder/passwd"
Require valid-user
Order allow,deny
Allow from env=allow
Satisfy any

UPDATE

Someone adviced me that allowing access to timthumb.php file it’s pointless, instead I should allow him to make http requests, or allow full access to uploads folders so, I tried the following, allowing requests from localhost ip

AuthType Basic
AuthName "Reserverd Area"
AuthUserFile "/home/some-folder/.htpasswds/public_html/subdomain_folder/passwd"
Require valid-user
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Satisfy Any

Tried both localhost and 127.0.0.1

I even tried to add another .htaccess in the single WP upload folder (where timthumb asks for images) with rule to allow from any

Satisfy Any
Order Allow,Deny
Allow from all

Still I cant’ get images shown, and I keep getting the NetworkError: 400 Bad Request” instead of the image.

Last Detail, the .htaccess in the WP directory is a standard wp htaccess –> pastebin.com/8PRqEYQ2

Related posts

Leave a Reply

1 comment

  1. I Found the solution.

    The right way is indeed allowing requests from the server itself, but the localhost IP (127.0.0.1) was not the right adress to allow.
    I made a Reverse IP Lookup searching for the domain I’m on, and I used that IP.

    This is the .htaccess that works

    RewriteEngine On
    <IfModule mod_authn_file.c>
    AuthName "Restricted Area"
    AuthUserFile "/home/path-to-passfile/passwd"
    AuthType Basic
    Require valid-user
    Order Deny,Allow
    Deny from all
    # Use your server ip:
    Allow from 111.111.111.11
    Satisfy Any
    </IfModule>
    

    With this rules I can develop apps using timthumb.php in .htpasswd protected directory.

    Criticisms and improvements are welcome 🙂