Back to my Page

Server Access Control based on Authentication

If you're using Access Control based on Authentication on your Webserver (often known as htpasswd, Basic Authentiaction, password protected directory or similar), WordPress is not able to handle it for Flash Uploader, Cron and XMLRPC. Related files need to be excluded to work. Keep in mind that this might break your security considerations.

.htaccess snippet

# Exclude the file upload and WP CRON scripts from authentication
<FilesMatch "(async-upload\.php|wp-cron\.php|xmlrpc\.php)$">
    Satisfy Any
    Order allow,deny
    Allow from all
    Deny from none
</FilesMatch>

Alternative approaches

Some alternatives might be considerable:

• Check for a cookie prior use (.htaccess)
• Disable the flash uploader so that the standard uploader is available (wp-config)

See Also

• Technical Installation Checklist
• Secure WordPress Setup
• #10825 - Flash Uploader Breaks with HTTP Authentication
• WordPress and basic authentication, problems with WP Cron and file uploads
• Disable Flash Uploader (wpengineer.com; August 31st, 2009)
• #14648 - Flash Uploader security error in IDN domains