Password Protect a WordPress Subdirectory with .htaccess

There are questions all over the internet regarding how to password protect a sub-directory when you are using WordPress.

I just spent a long time fighting a frustrating battle with this as well. So I’m documenting the resolution here for my (and anyone’s) benefit.

 In short

  1. WordPress does not mess with requests to actual directories or files.
  2. If WordPress is messing with your request then you aren’t requesting an actual directory or file.
  3. It’s likely your Error codes aren’t setup to return actual files.
  4. Make sure your .htaccess file isn’t generating 500 errors (i.e. ensure the path to your .htpasswd file is correct).


I’ve added a .htaccess and .htpasswd file but all I see is a WordPress 404 page. I can’t stop crying because it’s not working and my brain hurts.

Yep. That happens. WordPress comes with the following .htaccess file by default:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Let’s break this down.  First we are checking if the mod_rewrite module is even installed. If it is then we are turning the RewriteEngine on. That’s all great. We wouldn’t want to use the engine if it didn’t exist… right?

RewriteBase / – This sets the base of every subsequent Rule and Condition to the root `/`.  This way we don’t have to include the root directory at the beginning of any of our rules.

RewriteRule ^index\.php$ - [L] – This rewrite rule checks to see if we are on the index.php page already. The dash in the rule means do nothing. So… if we are already on index.php don’t do anything. The [L] option means that we should stop processing rules now. Don’t do anything else, we’ve got what we wanted. Quite literally this is the [L]ast rule that should be processed.

RewriteCond %{REQUEST_FILENAME} !-f – This condition makes sure that if the current request is hitting an actual existing file then we should do nothing. So WordPress won’t mess with your requests if you try to link to an actual file.

RewriteCond %{REQUEST_FILENAME} !-d – This condition makes sure that if the current request is hitting an actual existing directory that we should do nothing. So WordPress won’t mess with your requests if you try to link to an actual directory.

RewriteRule . /index.php [L] – Finally, if our request passed the above two conditions (it’s not an actual file and not an actual directory) then map the request to index.php. Now the request is mapped and WordPress can do its thing!

That’s Great But…

I know what you are thinking. You are thinking:

If what you are saying is true, then I shouldn’t be seeing a 404 page. My password protected directory actually exists!

Yes. You are correct, your directory does exist.


When you password protect a directory with .htaccess you are telling the server to return a certain response code. The 401 response code meaning the user is unauthorized, to be precise. When the browser received this response code it triggers a username and password prompt. However, and here is the problem, the browser is never receiving the response code.

Why is the browser not receiving the response code?

Good question. If you remember the WordPress .htaccess checks if the requested url points an actual file or directory. It only rewrites you to the index.php file if you aren’t actually requesting a file or directory. When you throw the 401 response code you aren’t actually requesting a file or directory. You are essentially requesting nothing (because you are unauthorized). So the WordPress .htaccess file is behaving correctly – it’s rewriting you to the index.php page and giving you a 404 (because more than likely your password protected directory does not match a permalink on your WordPress blog).

So… if WordPress is making sure that you actually requested a file then… you need to make sure that you are actually getting a file! You can do this by adding the following line to the top of your WordPress .htaccess file:

ErrorDocument 401 default

What you are doing is telling the server to return the default 401 file when it encounters a 401 response code. Once you are returning an actual file WordPress won’t try to grab your request.

Ok. I added that and I’m still having issues. What gives?

If you are like me, then the 401 response code fix wasn’t enough. You are still having the same issue and by now you are wanting to… oh gosh I can’t even think of anything to describe this type of pain.

Let’s look at our .htaccess file we are using to password protect our sub-directory. If you are anything like me your file might’ve looked something like this.

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /public_html/
Require valid-user

This looks perfectly valid to me. However, it turns out this file is generating Internal Server Errors!  (I know because I added a ErrorDocument 500 default line to my WordPress .htaccess file just for kicks.) But this shouldn’t be generating a 500 error unless I’m doing something wrong.

Turns out. I was.

The AuthUserFile argument needs to be the full server path to your .htpasswd file. Turns out, /public_html wasn’t actually the beginning of my server path. As a result the server was throwing a 500 error. Once I figured out what my entire full server path was, and added that to my .htaccess file, everything started working.

To Recap

  1. WordPress does not mess with requests to actual directories or files.
  2. If WordPress is messing with your request then you aren’t requesting an actual directory or file.
  3. It’s likely your Error codes aren’t setup to return actual files.
  4. Make sure your .htaccess file isn’t generating 500 errors (i.e. ensure the path to your .htpasswd file is correct).

Whew! Thank goodness that’s over. Happy Blogging :)

JavaScript Scoping. Callbacks and Loops

I just ran into this issue last night. The problem: I had a loop that was adding a callback to a method. Something like this:

for(var i=0;i<10;i++){
    $myElement.on('some-event', function(){

What I expected was that the value of the i variable at the time it was called would be used in my callback method. However, this was not the case… the i variable was the same in every single callback.

See this JSFiddle for an example.

The reason for this? JavaScript variable hoisting.  Before your code is executed it is scanned and the variables are processed. This has the effect of moving your variables to the top of the current function regardless of where in the function they are defined. (Except for in cases where you are implicitly declaring global variables).

So, in our situation we’ve defined var i. This is processed before the loop is processed and it is as if we wrote this:

var i;
    $myElement.on('some-event', function(){

Now it becomes a bit more clear why we are running into the issue with i being the same. The reason is because by the time the callback is executed the for loop has already run and the value of the i variable is already 10.

The solution, as far as I can tell, is to use an IIFE to scope the variable correctly in order store the current value for later. It looks ugly and it feels hacky… but it seems to be what is necessary. Update: It appears that you can also use .bind to set the value correctly as well.

var i;
            return function(){

And the JSFiddle to demonstrate.

Example With .bind

var i;
    $myElement.on('some-event', DoSomethingWith.bind(undefined, i));

Building StackOverflow Reputation – One Answer a Day

So. I’m a little low in the reputation department of StackOverflow. I mean, my reputation is ok, but it’s not AWESOME. And I need my rep to be awesome because well it’s all in the name. So, I’ve come to the conclusion that I’m going to answer one StackOverflow question every day  (weekday that is… on the weekends I’ll probably be sleeping or eating pizza or sleeping. So stop expecting so much. Stop it.) How long am I going to do this? I have no idea. I plan on making this into a habitual thing.

So here is my StackOverflow reputation as of right now:
jeremysawesome StackOverflow RepRight here I’ve inserted the flair badge which should be kept up to date with my current rep points.

profile for jeremysawesome at Stack Overflow, Q&A for professional and enthusiast programmers

So we will see how the “answer a day” thing goes.

However, I’m going to try and make my answers as helpful as possible. I don’t want to just “give” an answer, I want to also explain it. I want to explain the problem and what it was I did to fix it. I want to link to relevant articles if necessary… I want my answers to serve as teaching material for anyone else who might eventually have the same question. Answering questions in this way I believe will benefit me as well as the person asking the question.

Why would answering questions benefit me? I think that it helps me personally to be able to communicate better. If I’m able to explain a problem and how I solved it to someone else, every single day, then it’ll help me level up my communication skills. If I’m able to clearly understand a problem, and how to solve it, it will help me with my debugging skills. If I don’t know how to solve a problem, then I will most likely be doing research into how to solve the problem. This, in turn, will help me to continue learning.

So let it begin, the quest to answer a StackOverflow question everyday is underway.

Accessing Direct Messages from Disabled Users in Slack

Slack is awesome. I love it. You love it. Everyone loves it. If you don’t love it than that is probably because you haven’t heard about it. So.. go hear about it. Yep – now you love it too. You’re welcome.

One of the cool things about Slack is that it archives all of your conversations. So you can refer to (and search through) previous conversations you’ve had. This morning I was going to do just that, look up an old conversation I had with a previous team member. However, I couldn’t find his name anywhere via the normal slack interface. Because I couldn’t find his name I figured that he must’ve been deleted and my conversations were lost forever… :sad_panda:

But – don’t despair! As it turns out, you can’t actually delete a user in Slack. You can, however, disable a user. And the cool thing about disabled users is that you can still access the messages you’ve sent to them.

Accessing the messages is simple. First go to your Team Directory page in Slack. The url for that is something like Now find the greyed out Disabled Accounts section. Click on it. Next to each of the users you will see a […] menu. Open that menu and select Open Message Archives.

Boom sauce. You can now view your archived direct messages from previous members of your team.

SQL Server – Search Tables for a Column

You can use the following SQL to find all tables with a specific column name within your SQLServer database.

WHERE COLUMN_NAME = 'YourColumnName'

Or, use the LIKE() method if you don’t know your specific column name. If I use the LIKE() method I try to only throw the wildcard at the end of the string… it performs a bit better that way.


Figured I’d post this here because I’ll probably forget and want to know again in the future.

Specify Name and Port for Website Project in IISExpress

When using IISExpress to develop a Website project it is nice to have a specific machine name and port to refer to.

You can specify the machine name and port by editing the binding in the IISExpress applicationhost.config file. The following information was gleaned from this answer on StackOverflow.

  1. Open your applicationhost.config file. It most probably will be %userprofile%\Documents\IISExpress\config\applicationhost.config, but inspect the output from iisexpress.exe to be sure.
  2. Locate your WebSite entry and add following binding with your machine name.
         <binding protocol="http" bindingInformation=":50333:your-machine-name" />
  3. Restart IIS Express

I actually specified my machine name as well as the local domain.


This seems to be working just fine for me. If you are wanting to actually share that url for others to access (maybe within your own work network) you might have to run this in a administrator command prompt as specified in this StackOverflow answer:

netsh http add urlacl url=http://vaidesg:8080/ user=everyone


Disabling the Avatar Menu in Google Chrome

I’ve recently noticed a tiny little button show up in the top right hand corner of Chrome next to the “Close”, “Maximize” and “Minimize” buttons. This button is for Google Chromes newish “Avatar Menu”.

It looks like this:
Google Chrome Avatar Menu

Since I don’t typically like new things.. I immediately went looking for a way to make it go away.

That said, you can use Chrome flags to turn off the avatar menu in Google Chrome.

  1. Open the Chrome flags by typing “chrome://flags/” into your Omnibar.
  2. Search through the flags for “Enable the new avatar menu
  3. Select the “Disabled” option and save.
  4. Relaunch the browser.

Kaboosh. The new Avatar menu is gone (for now).

My Computer Updated Itself to Windows 8.1 Today

The Windows 8.1 experience that I’ve shared below is just that, an experience. Windows 8.1 itself is fine, I’d prefer if it gave me more customization options. Personally, I’d prefer not having a Windows button (I’ve got a windows key on my keyboard). Personally I’d prefer full screen search over the tiny search bar in 8.1. So Microsoft would’ve done better to provide personalization options, not to choose for you.

And I’m a little ticked off.

First off, my computer updated itself without my knowledge nor my permission. It had asked me a few times, to which my answer was always “Not Right Now”. However, it decided, of it’s own accord, that it would update itself. That kind of behavior is not acceptable.

In addition to updating itself to Windows 8.1 it also decided that it would be helpful and download/setup/install a bunch of apps for me. Once again it did so without asking for my permission. It then decided that it wanted me to create a special Microsoft Account to use my personal computer, Luckily, I found a way around that (using my smartphone, because my computer wouldn’t let me use it).

When I finally got into the computer I discovered that it had changed a number of things that I did not tell it to.

  1. It Rearranged my taskbar icons.
  2. It added a Start Button
  3. It threw Internet Explorer onto my taskbar
  4. It changed the way I search for things in the start menu.
  5. It changed the way my start menu looked.

All in all, I wasn’t that happy with the way Windows 8.1 decided to force itself upon my machine.

A few tips for the future.

  1. Do not update my machine without asking me
    1. If I tell you to wait, then you better wait and you better not update without me.
  2. Do not *force* me to make a Microsoft Account to use my own computer.
    1. Make the fact that it’s *optional* more clear.
    1. I have icons on my taskbar for a reason, don’t mess with them
    2. Don’t try to trick me to use IE by placing it in prominent places on my machine
    3. Don’t add things without asking me
    4. Don’t change things without asking me
  4. It disabled my PS3 controller(that I spent a long time trying to get to work on my computer).

This whole process would’ve been a whole lot less frustrating if it allowed for more input from the user. It should’ve told me about all the changes it wanted to do (add IE, add the Windows button, modify the Startmenu), and more importantly, it should’ve given me the option to keep things the way they were.

So… now I proceed to search the internet for ways to make my computer the way I like it again. Which makes me even more frustrated.


It appears there is no built in way to turn off the Windows button in the taskbar. There is also no way to make my Start Screen searches full screen by default anymore. (Ok, so if I actually click the apps view, and then search, the search is the way I want it to work). The only way to get these things back to the way I like them is by re-installing windows 8, which is pretty annoying. All in all I’m really sad with the way this whole update happened.


Kaira mentioned that she’s been postponing the update by doing the following. Maybe that will help some of you.

What I do is, when the prompt asking to restart at a time of my choosing sets, set it to as late as it goes, then rush over to the Windows Store. Click Updates (top right) and you’ll see it downloading 8.1. Click that and something at the bottom comes up, and you can select Cancel.

A Few Ideas Regarding SCRUM Process

We’ve been using SCRUM at work. It’s certainly been a learning process. During that process I’ve learned that I’m not a very big fan of SCRUM. I’ll write more on that later. That said, I’ve come up with a few ideas which I hope will make my time, and my teams time, with SCRUM a bit better.

  1. Start measuring stories on complexity not time.
    It’s very easy for a story to be under-estimated. If a story is not estimated correctly, it will take longer and you will most likely miss your Sprint. Don’t think about time when estimating, we like to think we can get things faster than we actually can. Think, instead, about how complex something is. The more complex it is, the higher point it should get.
  2. Use a 10 point scale in your head when estimating.
    Depending on what you are using, the SCRUM point scale skips numbers. Our numbers are:

    0, 0.5, 1, 2, 3, 5, 8, 13, 20, 40, 100, INFINITY

    When we see numbers like 13 we immediately think that they are “big” numbers. So when we estimate we tend to pick numbers under 13 even though the story being estimated might require a 13. So, I say pick a number between 1 and 10 in your head and then translate that to the SCRUM numbers.

    0.5 1
    1 2
    2 3
    3 4
    5 5
    8 6
    13 7
    20 8
    40 9
    100 10
  3. Take the larger of any numbers present.
    I’ve dubbed this Jeremy’s law. During the course of estimating you might find yourself wrestling between a 2 and a 3 in your head. Take the bigger number. If there is any doubt in your mind, you should just take the bigger number instead of committing to something that you are not sure of.
  4. Look back at similar stories points. Did we complete them or were they underestimated?
    Previous stories you have completed might be similar to the ones you now have to do. Or they might have a similar complexity. Rather than estimating a whole new estimate, use that information to your advantage. If, in the past a story like this took a long time, it will probably take a long time again.
  5. Forget about doing it right the first time.
    This will be the hardest for me. I like to do it right the first time. But when it comes to SCRUM the key is to get stuff done. Once you have something done you can then iterate on it. Now – I’m not saying that you shouldn’t program using SOLID principles. I am saying that it’s easy to spend a lot of time analyzing things. Just jump in there and start coding it up.Think of the story as not having to be totally complete. Think of it as a step towards being totally complete. Just get it done as fast as possible. Than pass to testing. Once it’s done we can reiterate on it to improve it. But the first goal should be to get something out the door.
  6. Do create follow up stories (discovery stories for what is wrong)
    During a SPRINT review a stakeholder might not approve the story to go live. We should create a discovery story then and there to figure out what further they need from the story. Create new stories based on the results of your discoveries.
  7. Once a story meets ac it is done
    As long as the original story meets the acceptance criteria we can consider it done. Anything that changes the AC should yield a new story with new AC. This will allow us to iterate on the first while keeping the first story in a “done” state.
  8. Be more pro active about sending too complex stories back to be broken up further.
    Big stories need to be broken up. It’s just how it is. Don’t feel bad about sending a story back to be broken up.
  9. Don’t take in a thirteen if possible.
    In our version of SCRUM, stories that are 13 points will take up the whole Sprint. And because we know that things usually take longer than we expect, a thirteen will definitely overflow the timebox. So, send it back to be broken up.
  10. Pull smaller bits more often into master.
    There are certain bits of code that we add during the course of a project that can be added to master. We split the stories up, but maybe we can also split the code up as well. Instead of pulling a huge change into master, let’s identify the things that can go to master as we go along.
  11. Push things out as frequently as possible.
    Avoid the big pushes and potential big breakages by pushing smaller bits of code out more often. We talk about this often and say it is a good idea, but we don’t do it. We don’t need to get stakeholder approval to fix a bug we find, so push the bug fix live. We don’t need stakeholder approval to fix performance issues – so push those live. We don’t need approval to repay technical debt – so push that live.I’d reccomend we push anything live that we can. The stakeholders like to bundle everything up into a gigantic push. We really need to let them know that a better way to do it is a little bit all of the time.
  12. Immediately create stories for what needs to be done as soon as it is known.
    I think we as developers should be more pro-active about creating stories. If we find something that needs to be done, create a story for it. It’s hard to prioritize these kinds of stories because they are not necessarily related to business initiatives. So, use your best judgment in when to pull it in. The key is, it’s not going to get done unless we remember to do it.
  13. Always be thinking of ways to improve the process.
    Don’t be afraid to get rid of waste. If we get rid of the “big” waste, it enables us to see the smaller waste. If something is wasteful, don’t be afraid to get rid of it or let someone know you think it is time for it to go.

I really hope these things help. Ideally I’d like to move away from SCRUM. However, if I’m going to have to use SCRUM then I might as well figure out how to make it better.

Do you have any ideas on how to improve the SCRUM process? What do you do? How did your teams make things better?

Deserializing JSON to a .NET Object

Generally in .NET MVC you would use the default model binders to deserialize JSON to a .NET object. However, there are some cases, involving “complex” collections, where this becomes a bit tedious to do. Microsoft provides a few ways around this, but none are satisfactory. Unlike the default model binders, the JavaScriptSerializer provides support for deserializing JSON to a .NET object with complex collections.

Take the following simple class and method signature for example:

// simple class
public class SaveInformation
    public string Name { get; set; }
    public Dictionary<string, List<SaveItem>> Components { get; set; }

// method signature
public ActionResult Save(SaveInformation saveInformation)

Below I’ve included some simple JSON that we will pass to .NET via AJAX:

{"SaveToSession":false,"Name":"My Stupendous Thing","Components":{"Component1":[{"ProductId":"1234"}]}}

We are passing the JSON to .NET using AJAX with the “application/json” contentType. Because we are using the “application/json” contentType, .NET will automatically call the JsonValueProviderFactory and map the information over to our SaveInformation model. It seems pretty straight forward, the Save method will receive a SaveInformation object when it is called.

Not so straightforward unfortunately, the Save method does receive a SaveInformation object. If we inspect our SaveInformation object we see the Name is populated perfectly fine, but the Components dictionary ends up being null.

The reason for this? It seems that the JsonValueProviderFactory doesn’t fully support pure JSON syntax. In order for .NET to properly parse a complex collection, you actually have to give it a numerical index.


Though it’s somewhat counterintuitive, JSON requests have the same requirements—they, too, must adhere to the form post naming syntax. Take, for example, the JSON payload for the previous UnitPrice collection. The pure JSON array syntax for this data would be represented as:

    { "Code": "USD", "Amount": 100.00 },
    { "Code": "EUR", "Amount": 73.64 }

However, the default value providers and model binders require the data to be represented as a JSON form post:

    "UnitPrice[0].Code": "USD",
    "UnitPrice[0].Amount": 100.00,

    "UnitPrice[1].Code": "EUR",
    "UnitPrice[1].Amount": 73.64

I know right? It was hard for me to read this as well due to the anime-sized tears in my normal-sized eyes. The problem is, no browser I know of has a JSON.serializeForDotNet function. So this leaves us with two options, make our own JSON serializer, or make our own ValueProvider/ModelBinder. Neither of these options sounded very appealing to me, so I went with the hidden third option. Pass in a string :)

You can use the JavaScriptSerializer class, located in System.Web.Script.Serialization, to deserialize JSON information and, as an added bonus, it actually handles properly formatted pure JSON!

So, the new method looks like this. We pass in a string value and deserialize it using the JavaScriptSerializer. Now we receive a SaveInformation object with a fully populated Components dictionary.

public ActionResult Save(string saveInformation)
    // instantiate a JavaScriptSerializer
    JavaScriptSerializer serializer = new JavaScriptSerializer();

    // use the JavaScriptSerializer to deserialize our json into the expected object
    SaveInformation saveInformationObject = serializer.Deserialize<SaveInformation>(saveInformation);