Secure your server with htaccess
21/10/2013 § Leave a comment
I apologize if this topic drifts a bit away from the usual ones you find here at ghacks but I thought it would be extremely useful for everyone who has a server or webspace that supports htaccess and htpasswd. Htaccess files can do much more than just secure a directory on your server or website but I want to concentrate on this topic because it is something that I have been using on some of my websites for a very long time to increase security.
I use it mainly to secure certain directories on my websites from being accessed without the proper authorization. This is the admin directory in the case of WordPress for instance but could also be used to secure a directory that hosts some valuable files.
I would like to point out two possibilities that secure a directory with .htacess. The first is to protect the directory by only allowing users with a certain IP or IP range access to it. Everyone else would receive an access denied error message.
The second possibility would be to create usernames and passwords that have to be supplied before accessing the content.
Create a .htaccess file and add the following code to it:
AuthName “Protected Content”
deny from all
allow from 255.255.255.255
Change the IP address in the last line to the one used by the user / users. You can use wildcards * if the user is receiving dynamic IPs from his ISP. It is possible to add as many allow from lines to the .htaccess file as you want. Place that htaccess file in the directory that you want to protect. (all subdirectories are affected as well.
The problem with this kind of protection is twofold. If your IP changes, say you are on holiday or accessing from a different location, you need to add or change the IPs in the htaccess code. Users who happen to have a IP of that range can access the content without problems. This is usually a user from the same ISP.
A more secure protection is the basic auth protection.
Whenever a user tries to access a directory or file a popup will appear asking the user for a username and password. This method requires two files, a htaccess file and a htpasswd file. The htpasswd file stores the usernames and encrypted passwords and should be placed outside of the root directory of the website.
AuthName “Restricted Area”
Since the passwords are encrypted you need to use a script to do that. A working one is the htpasswd Content Generator. Just enter a username and password and click on encrypt. Paste the line on the results page into the htpasswd file and place it exactly in the path that you specified in AuthUserFile.
It is possible to combine both protections for added security. I would begin by evaluating if your webhost is allowing those kind of files.