Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post via admin-ajax.php causes auth pop-up #158

Closed
diesocke opened this issue Jun 4, 2020 · 6 comments
Closed

Post via admin-ajax.php causes auth pop-up #158

diesocke opened this issue Jun 4, 2020 · 6 comments
Labels
documentation

Comments

@diesocke
Copy link

diesocke commented Jun 4, 2020
edited
Loading

The website I run uses basic authentication for the /wp-admin/ folder. As Statify uses admin-ajax.php to post the view of the site, this causes the basic authentication to pop up. Is there a way to avoid this without shutting down protection for wp-admin?

I have deactivated Statify to stop the login popup, but I actually want to use the service.
@MatzeKitt
Copy link
Member

I think, the easiest way would be not using basic authentication for admin-ajax.php. By using the internal Ajax mechanics, you need to use the file /wp-admin/admin-ajax.php.

An example on how to disable basic authentication in Apache2:

AuthUserFile /path/to/.htpasswd
AuthName "Authorization Required"
AuthType Basic
require valid-user
<Files "/wp-admin/admin-ajax.php">
    Satisfy Any
    Allow from all
</Files>

@diesocke
Copy link
Author

diesocke commented Jun 4, 2020

I guess this is connected with this update:

| JavaScript-Tracking überarbeitet unter Verwendung von WP AJAX (#109) (#142)

@stklcode
Copy link
Contributor

stklcode commented Jun 4, 2020
edited
Loading

Exactly.

If an additional authentication is configured for the AJAX endpoint, there is no way Statify can get around this (otherwise the auth mechanism would obviously be useless).
There are several other plugins that use AJAX for frontend applications, all facing the same issue as for some reason the additional auth layer has been recommended in several “security“ guides over time (there certainly are better ways imho, but that’s another story).

We should probably add this to the FAQ as at least 3 support requests reached us in the last 3 weeks. The upgrade notice is likely overseen and/or the impact is unclear.

@Zodiac1978
Copy link
Member

Another way could be to just protect the file wp-login.php.

@diesocke
Copy link
Author

diesocke commented Jun 5, 2020

Another way could be to just protect the file wp-login.php.

Would be, but I cannot do that, because there is a password protected area with access only for employees. If I directed the restriction on wp-login.php they would have to know the complex username and password AND the password for the internal page.

@patrickrobrecht
Copy link
Member

I've updated your documentation on JavaScript tracking. Now we explicitly state that the Ajax endpoint is mandatory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Zodiac1978 @MatzeKitt @diesocke @patrickrobrecht @stklcode