I was having issues (401 error) trying to reach my website via rest API. I moved the Wordpress block in my .htaccess file to the top and now my website is reachable. This is the first block that I now have in my .htaccess file?

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Do I need to combine the two lines of the RewriteRule lines like this? Does it change anything functionally?

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Prior to me making any changes, the first block in the .htaccess file was:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

So by moving the "Wordpress block" it just adds the one line RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

CodePudding user response：

Do I need to combine the two lines

You certainly don't "need" to combine those two lines.

It will probably make no difference to accessing your rest API if you do.

A single, combined directive

By combining those two directives, as you have done, will mean the HTTP_AUTHORIZATION env var (used to help with HTTP Authentication) will only be set on requests that are routed through WordPress (including the homepage). And (on Apache^*1) the REDIRECT_HTTP_AUTHORIZATION env var will not be generated when requests are rewritten to the WordPress front-controller (index.php), ie. page requests other than the homepage. Although I'm pretty sure that WordPress does not take advantage of this anyway. The HTTP_AUTHORIZATION env var will not be set on requests to static resources (images, CSS, JS, etc.) as it would have been before.

Two separate directives

With the two separate directives, as in the orginal code, the HTTP_AUTHORIZATION env var is set on every request, including requests for static resources. (But ordinarily, this is redundant.) And (on Apache^*1) the REDIRECT_HTTP_AUTHORIZATION env var will be generated when requests are rewritten to the WordPress front-controller (index.php), ie. page requests other than the homepage.

(^*1 As opposed to LiteSpeed, where env vars of the form REDIRECT_... are not generated anyway.)

I moved the Wordpress block in my .htaccess file to the top and now my website is reachable.

That isn't necessarily the correct thing to do. Ordinarily, the WordPress code block (the front-controller) should appear later in the file. There may have just been a single conflicting rule that should have been "modified" or perhaps moved to after the WordPress code block. But moving those directives to after the WordPress code block may effectively "disable" those rules entirely.

UPDATE:

Prior to me moving the "Wordpress" block to the top, this is what the first block had:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

That code block is just an erroneous "copy" of the WordPress code block (less the HTTP_AUTHORIZATION var) and should be deleted altogether!