I cleaned and secured a osCommerce site the other day which is run in a subdirectory of a hosting account, like so /public_html/shop/.
The admin area is at /public_html/shop/admin/ [ actually it’s in a randomly named admin folder, but for the blog post, let’s assume it is at /shop/admin/ ]
In the root of the website hosting or in other words /public_html/ is an installation of WordPress. With me so far?
/public_html/ <-- wordpress /public_html/shop/ <-- oscommerce /public_html/shop/admin/ <- oscommerce admin area Part of the security lockdown is to protect the admin area by htaccess and htpasswd. This is server level security that ALL osCommerce sites MUST have.
I then delivered the finished site to the client and all was well. Fast forward a day or two, and I get an email stating that the admin area was returning a 404 error. That is odd, as it is definitely there.
So, what changed from when I delivered a working shop and admin area? Only 1 thing – the htaccess in the public_html that controls the wordpress URL rewriting.
The client went ahead and removed the htpasswd protection from the osCommerce admin area, which allowed access. Obviously this is undesirable and I let the client know this. I was shocked and amazed at this response from the clients host to the client;
The htaccess and htpassword files are a security measure against a problem that does not exist anymore in the newest version of osC.
What an absolute joke – this host really needs to get a clue!
What is needed is a way for WordPress to do it’s rewriting AND for osCommerce Admin area to be secured via htpasswd…
The Solution
With some Google digging, it transpires that WordPress sometimes has problems with htpasswd’d folders higher up in the website hosting account. Hence the 404 error.
With a bit more Google digging, the solution is as presented on this page. Simply make a couple of error pages, and add in the two ErrorDocument directives to the WORDPRESS htaccess file.
So, next time your osCommerce Admin area presents a 404, and you are running WordPress on the same hosting account, this could be the solution for you.
Important note; I don’t really know enough about WordPress to state for certain just exactly what the problem is. What I am able to do is hunt Google, copy and paste, and write a blog post about it for people having similar problems in the future.
The moral of this story has to be “Do not install WordPress in the root directory”
I have no problems with any of my WordPress but they are either in sub domains or directories
Regarding htaccess password for “admin”, what do you tell your customers when they ask why they need to login twice to Admin? Do they have a hard time swallowing that particular inconvenience in the name of security?
J – easy; double security lock. If 2.3.1, a login on the htaccess auto logs in the usual osc login page if set up correctly.