Closed. This question is off-topic. It is not currently accepting answers.

---

Your question should be specific to WordPress. Generic PHP/JS/SQL/HTML/CSS questions might be better asked at Stack Overflow or another appropriate Stack Exchange network site. Third-party plugins and themes are off-topic for this site; they are better asked about at their developers' support routes.

Closed 5 years ago.

Improve this question

Firstly, I don't know the correct term for what this password thing is. I think it's just a line in .htaccess, that prevents bots or unauthorized access to a staging environment, but it also breaks some other functionality from time to time. It's possible the password is not in .htaccess. I don't have access to it, and I cannot disable it.

I've tried 2 popular security plugins to run a scan on my site (am I allowed to say their names?), but they run into errors such as:

"The scan has failed to start. This is often because the site either cannot make outbound requests or is blocked from connecting to itself."

"SiteCheck error: Unable to properly scan your site. 401 Unauthorized"

Is there another "tool" that will run a scan without me disabling the password? (am I allowed to ask for suggestions on WordPress "tools"?)

Closed. This question is off-topic. It is not currently accepting answers.

---

Your question should be specific to WordPress. Generic PHP/JS/SQL/HTML/CSS questions might be better asked at Stack Overflow or another appropriate Stack Exchange network site. Third-party plugins and themes are off-topic for this site; they are better asked about at their developers' support routes.

Closed 5 years ago.

Improve this question

Firstly, I don't know the correct term for what this password thing is. I think it's just a line in .htaccess, that prevents bots or unauthorized access to a staging environment, but it also breaks some other functionality from time to time. It's possible the password is not in .htaccess. I don't have access to it, and I cannot disable it.

I've tried 2 popular security plugins to run a scan on my site (am I allowed to say their names?), but they run into errors such as:

"The scan has failed to start. This is often because the site either cannot make outbound requests or is blocked from connecting to itself."

"SiteCheck error: Unable to properly scan your site. 401 Unauthorized"

Is there another "tool" that will run a scan without me disabling the password? (am I allowed to ask for suggestions on WordPress "tools"?)

• security

Share Improve this question asked Oct 2, 2019 at 21:45 Joel MJoel M 42733 silver badges1313 bronze badges 11

• Don’t use such plugins. They are only plugins - if your site is already infected, then someone is able to modify its code - so he’ll be also able to modify behavior of these plugins (I’ve demonstrated this many times on WordCamps). And no - there is no automatic way of checking of code of the site is secure - simple mail($a, $b, $c) can be secure or insecure - depends on a, b, c... So these using these plugins is just waste of time and resources - and even worse - you’ll have to spend a lot of time to delete all the garbage they leave in your DB and on your server... – Krzysiek Dróżdż Commented Oct 3, 2019 at 5:58
• The site isn't infected. As a precaution, I would like to know if any plugin files or core files are definitely different from what they should be. My alternative (which I often do) is to manually look through files for anything that looks blatantly suspicious. Would you like to estimate how efficient this process is compared to a security scan (even if the the scan is going to give me false negatives some of the time)? – Joel M Commented Oct 3, 2019 at 20:12
• Using such plugin won't secure anything. You can trust these scanners as long as the site is clean. If it gets infected, scans can show anything. So you may presume, that these scans will always show that your site is safe - so they're useless... On the other hand, security plugins are the plugins with the highest count of vulnerabilities in their code and they completely kill performance of your site. So no - you don't want to use them (even, if they look like such a great choice)... – Krzysiek Dróżdż Commented Oct 3, 2019 at 20:46
• I am talking about if I copy a website into a staging environment and just want to run a scan one time and then delete the plugin. I don't have a false sense of security and my question has nothing to do with how good a security plugin is at finding malicious code. I just want to run a scan in a matter of minutes so that if there is badly written malicious code it might be identified. I literally couldn't care less if 10%, or 50%, or 90% of the time, it fails to detect malicious code that is indeed there. – Joel M Commented Oct 3, 2019 at 21:00
• I will agree with you on the lack of usefulness of such plugins, but still, my question has nothing to do with that. – Joel M Commented Oct 3, 2019 at 21:01

 |  Show 6 more comments

1 Answer 1

Sorted by: Reset to default -1

The parent directory (which I don't have access to) uses htpasswd, but I can override this for my directory only by adding

Satisfy Any

to .htaccess. This fixes the issues I was having. I'm ok with disabling the authentication temporarily to run a scan and turning it back on afterwards.

More info on disabling htpasswd here: https://stackoverflow/a/1431399/7220351