.htaccess files are heirarchical/recursive, which means that the .htaccess file in the hosting account root folder will apply its security rules to all subfolders below this folder, unless the subfolder or subfolders have their own .htaccess files. If they have their own .htaccess files then those subfolders will follow the security rules in their own .htaccess files and not the .htaccess rules in the hosting account root folder. The best Site Security Architecture/Design technique is to compartmentalize your security so that 1 website’s .htaccess file does not affect another site’s .htaccess file. This allows you to create separate and unique security rules per site.
Note: Some .htaccess directives/code will still be applied to subfolder sites if an .htaccess file exists in a hosting account root folder and a subfolder below that root folder. Example: If you turn off Security Logging in a subfolder or subdomain site, but have a root website in the hosting account root folder and have Security Logging turned on in the root website then the htaccess ErrorDocument directive from the hosting account root htaccess file will be applied to the subfolder / subdomain site and Security Logging will still occur on a subfolder/subdomain website. If each site was compartmentalized in its own folder then that would not occur since a parent/child folder relationship would not exist. If Security Logging is turned on on both the root site and the subfolder/subdomain site then the subfolder/subdomain site is actually using/following the rules/code in its own .htaccess file and not the root website’s htaccess file.
Ok now to answer your question. Since you have a root domain site in your hosting account root folder then you will need to be aware of the scenarios above. As long as you have htaccess files for each website and have rules/code for login page processing then each site will follow its own .htaccess file rules/code for login page processing, but if you removed rules/code from a subfolder/subdomain/addon site and the root htaccess file still has rules/code that is doing something with login page processing then the possibility exists that the root .htaccess rules/code will be applied to the subfolder/subdomain/addon sites below it in that parent/child folder relationship.
Example:
Let’s say that you are using this Brute Force Login attack protection code in your root website’s htaccess file that is located in your hosting account root folder and you do not have any wp-login.php htaccess code/rules in a subfolder site’s htaccess file. This root .htaccess file code/rules will be applied to that subfolder site’s Login page since the subfolder site is a child folder of the parent site folder in this particular type of folder/heirarchical relationship. Both the root site and the subfolder site would use/follow this code/rule.
# Protect wp-login.php from Brute Force Login Attacks based on IP Address <FilesMatch "^(wp-login\.php)"> Order Allow,Deny # Add your website domain name Allow from example.com # Add your website/Server IP Address Allow from 69.200.95.1 # Add your Public IP Address using 2 or 3 octets so that if/when # your IP address changes it will still be in your subnet range. If you # have a static IP address then use all 4 octets. # Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1 Allow from 65.100.50. </FilesMatch>
So let’s now say that you want Brute Force Login protection on the root website, but do not want Brute Force Login protection on the subfolder site. This is how you would achieve that.
In your subfolder site’s .htaccess file you would add this .htaccess code below that says allow everyone access your subfolder site’s wp-login.php Login page. The subfolder/child site will follow its own wp-login.php htaccess rule instead of following the root/parent site’s wp-login.php htaccess rule.
<FilesMatch "^(wp-login\.php)"> Order Allow,Deny Allow from all </FilesMatch>
- This reply was modified 1 hour, 19 minutes ago by AITpro Admin.
- This reply was modified 1 hour, 1 minute ago by AITpro Admin.
- This reply was modified 53 minutes ago by AITpro Admin.