Information
Resources
Submit
- 16 Oct 2008
- Tutorials
- 14992 Reads
- 4 Comments
As you already know the admin panel can easily be accessed with an admin or super admin account. Admin and super admin accounts are one of many hacker targets.
I'm going to show you how to add easy but effective protection to your admin control panel using htacess and htpasswd. The nice thing about using htaccess and htpasswd is there are no back doors to retrieving username and passwords unlike php and js.
First create a .htaccess file. Also create a .htpasswd file which we will use later on. Make sure you put both of those files into the administration directory.
Add the following code to the .htaccess file...
AuthName "Admin Control Panel"
AuthType Basic
AuthUserFile /full/path/to/.htpasswd
Require valid-user
NOTE: Change the "/full/path/to/.htpasswd"
to the full path on your server where your .htpasswd file is located. If you do not know the full path contact your web host.
Next open the .htpasswd file that we created earlier (nothing in front of the dot). This file will contain the usernames and passwords for accessing the admin control panel.
Add the following code to the htpasswd file...
username:password
Change the username and password to the ones you desire to use. (do not use the same account info that your admin account has otherwise this tutorial is useless)
* Note: do not put your password in regular form, encrypt it at htaccesstools.com !
Simply add that code on a new line to add another username and password possibility.
Also don't forget to add the following code to the .htaccess file which will protect the htaccess file and htpasswd file itself.
<Files ".htaccess">
order allow,deny
deny from all
</Files>
<Files ".htpasswd">
order allow,deny
deny from all
</Files>
Congratulations you've just added more security to your admin panel. You will only need to login once when the pop up comes up when accessing the acp per browser session.
You will not regret doing this especially if your account is ever hacked, the hacker will only do minor damage like delete forum posts and etc. Remember the admin control panel is like the brain that operates and controls the content of the site, so lets keep its security protection high.
Besides this small security addon it's highly recommended to backup your site every x weeks. Whenever your websites gets more active make backups more frequent, this to prevent data loss!
Written by Brandon, a thanks to webadmin88 for extra information.
I have to disagree with this tutorial. When inserting the line in the .htpasswd file YOU SHOULD NOT use username
assword, but ENCRYPTED password instead. The logic behind this encryption is hard so just use this method here:
http://www.htacce...generator/
Regards
Very well written and informative.
Thanks!
BIG thanks for guide
You can allow known IPs to access the administration directory. Here is how I do it with .htaccess in administration folder:
Order Deny,Allow
Deny from all
allow from YOU IP
Just change YOU IP to your IP. You can find your IP here >> http://www.myip.x..., You can ofcourse add another "allow line" to above code, if you want to use the admin from multiple computers.