Take the case where you have a WordPress multi-site with many domains pointing to a single virtual host. When the site gets hit with a wp-login.php attack you want to password protect the wp-login.php script but just for the targeted site … not for every site in the multisite. Here’s the .htaccess rules to accomplish this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
SetEnvIfNoCase Host "acme.com" requireauth=1 SetEnvIfNoCase Host "widgets.com" requireauth=1 <Files ~ "^wp-login.php"> AuthType Basic AuthName "******** ATTENTION - To login please enter username 'admin' and password 'letmein' ********" AuthUserFile /etc/httpd/conf/wplogin.htpasswd AuthBasicProvider file Require valid-user Order deny,allow Deny from all Allow from env=!requireauth Satisfy any </Files> |
We set an environment variable based on the Host header and then require login from requests with the matching environment variable.