How do you password protect directories using htaccess? - Revision history

Hutchy68: Hutchy68 moved page How do you password protect directories using .htaccess? to How do you password protect directories using htaccess?: fixing page not accessible

2012-10-11T02:47:22Z

Hutchy68 moved page How do you password protect directories using .htaccess? to How do you password protect directories using htaccess?: fixing page not accessible

JoomlaWikiBot: /* Directions */clean up categories with tags

2012-09-01T20:41:56Z

‎Directions: clean up categories with <noinclude> tags

Mvangeest: Adjusted layout

2011-01-12T21:32:55Z

Adjusted layout

Mvangeest: Adjusted layout

2011-01-08T17:41:00Z

Adjusted layout

Batch1211 at 10:36, 5 October 2010

2010-10-05T10:36:19Z

Jabama: New page: '''Overview''' This FAQ explains how to protect the Joomla! /administrator/ directory on Apache servers using the htpasswd utility. You can easily adapt these instructions to protect othe...

2008-10-11T22:31:32Z

New page: '''Overview''' This FAQ explains how to protect the Joomla! /administrator/ directory on Apache servers using the htpasswd utility. You can easily adapt these instructions to protect othe...

New page

'''Overview'''

This FAQ explains how to protect the Joomla! /administrator/ directory on Apache servers using the htpasswd utility. You can easily adapt these instructions to protect other directories. If you need help finding or creating your .htaccess file, start here.

'''Caveat (From Apache.org)'''

Basic authentication should not be considered secure for any particularly rigorous definition of secure.
Although the password is stored on the server in encrypted format, it is passed from the client to the server in plain text across the network. Anyone listening with any variety of packet sniffer will be able to read the username and password in the clear as it goes across.

Not only that, but remember that the username and password are passed with every request, not just when the user first types them in. So the packet sniffer need not be listening at a particularly strategic time, but just for long enough to see any single request come across the wire.

And, in addition to that, the content itself is also going across the network in the clear, and so if the web site contains sensitive information, the same packet sniffer would have access to that information as it went past, even if the username and password were not used to gain direct access to the web site.

Don't use basic authentication for anything that requires real security. It is a detriment for most users, since very few people will take the trouble, or have the necessary software and/or equipment, to find out passwords. However, if someone had a desire to get in, it would take very little for them to do so.

Basic authentication across an SSL connection, however, will be secure, since everything is going to be encrypted, including the username and password.

'''Directions'''

1. If you are unfamiliar with the Apache htpasswd utility, you may want to read the following link first.
Apache Authentication, Authorization, and Access Control

2. Check to be sure your site is configured to use .htaccess files. If not sure, ask your host.

3. Decide where to put your .htaccess file. Because Apache recursively searches all directories in a path for .htaccess files, the higher in your directory structure you place this file, the more directories it will control. If there is already an .htaccess file in the directory you choose, it's probably best to add the new code to it.

4. Decide where to store your.htpasswd and .htgroups files. These files should NEVER be publicly accessable through the Web. Below is an example directory structure showing good locations for each file. Note that the /auth/ directory in this example is NOT accessible from the Web.

/home/mysite/public_html/.htaccess
/home/mysite/auth/.htpasswd/
/home/mysite/auth/.htgroups/

5. Create the .htpasswd and .htgroups files as explained in the official Apache HowTo, referenced above. (Since you've read the always current and official documentation at Apache.org, we'll spare you the trouble of displaying it again here.)

6. If a .htaccess file already exists in the directory you have chosen, make a backup copy. If the file does not exist, create a new file with that name now. (Don't forget the dot at the beginning of the name.)

7. Add the following code to the .htaccess file. Adjust the example paths (marked in red) as needed for your server. Adjust the group name that you created in step 5 if it differs from the below example.

AuthUserFile /home/auth/.htpasswd
AuthGroupFile /home/auth/.htgroups
AuthType Basic
AuthName "LWS"
require group admins

8. Test carefully.

9. Remove all backup .htaccess files from public_http directories.

10. If you can not use the Apache htpasswd utility, here's a free, online script that creates the necessary files for you. You'll need to know the user name, password, and path. The script does the rest for you. Note that for more advanced configuration, such as the use of groups, you'll need to edit the resulting files.

'''.htaccess Generator:''' http://www.webmaster-toolkit.com/htaccess-generator.shtml

[[Category:FAQ]]
[[Category:Administration FAQ]]
[[Category:Getting Started FAQ]]
[[Category:Installation FAQ]]
[[Category:Version 1.5 FAQ]]

@@ Line 20: / Line 20: @@
 # Decide where to put your .htaccess file. Because Apache recursively searches all directories in a path for .htaccess files, the higher in your directory structure you place this file, the more directories it will control. If there is already an .htaccess file in the directory you choose, it's probably best to add the new code to it.
 # Decide where to store your.htpasswd and .htgroups files. These files should NEVER be publicly accessable through the Web. Below is an example directory structure showing good locations for each file. Note that the /auth/ directory in this example is NOT accessible from the Web.
-#* <tt>/home/mysite/public_html/.htaccess</tt>
+#* <code>/home/mysite/public_html/.htaccess</code>
-#* <tt>/home/mysite/auth/.htpasswd/</tt>
+#* <code>/home/mysite/auth/.htpasswd/</code>
-#* <tt>/home/mysite/auth/.htgroups/</tt>
+#* <code>/home/mysite/auth/.htgroups/</code>
 # Create the .htpasswd and .htgroups files as explained in the official Apache HowTo, referenced above. (Since you've read the always current and official documentation at Apache.org, we'll spare you the trouble of displaying it again here.)
 # If a .htaccess file already exists in the directory you have chosen, make a backup copy. If the file does not exist, create a new file with that name now. (Don't forget the dot at the beginning of the name.)

← Older revision		Revision as of 10:36, 5 October 2010
Line 58:		Line 58:
	[[Category:Installation FAQ]]		[[Category:Installation FAQ]]
	[[Category:Version 1.5 FAQ]]		[[Category:Version 1.5 FAQ]]
		+	[[Category:Security]]

@@ Line 34: / Line 34: @@
 '''.htaccess Generator:''' http://www.webmaster-toolkit.com/htaccess-generator.shtml
-[[Category:FAQ]]
+<noinclude>[[Category:FAQ]]
 [[Category:Administration FAQ]]
 [[Category:Getting Started FAQ]]
 [[Category:Installation FAQ]]
 [[Category:Version 1.5 FAQ]]
-[[Category:Security]]
+[[Category:Security]]</noinclude>

@@ Line 1: / Line 1: @@
 This FAQ explains how to protect the Joomla! /administrator/ directory on Apache servers using the htpasswd utility. You can easily adapt these instructions to protect other directories. If you need help finding or creating your .htaccess file, start here.
-'''Caveat (From Apache.org)'''
+=== Caveat (From Apache.org) ===
 Basic authentication should not be considered secure for any particularly rigorous definition of secure.
@@ Line 16: / Line 14: @@
 Basic authentication across an SSL connection, however, will be secure, since everything is going to be encrypted, including the username and password.
-'''Directions'''
+=== Directions ===
-−
-. If you are unfamiliar with the Apache htpasswd utility, you may want to read the following link first.
-Apache Authentication, Authorization, and Access Control
-−
-. Check to be sure your site is configured to use .htaccess files. If not sure, ask your host.
-−
-. Decide where to put your .htaccess file. Because Apache recursively searches all directories in a path for .htaccess files, the higher in your directory structure you place this file, the more directories it will control. If there is already an .htaccess file in the directory you choose, it's probably best to add the new code to it.
-−
-. Decide where to store your.htpasswd and .htgroups files. These files should NEVER be publicly accessable through the Web. Below is an example directory structure showing good locations for each file. Note that the /auth/ directory in this example is NOT accessible from the Web.
-−
- /home/mysite/public_html/.htaccess
- /home/mysite/auth/.htpasswd/
- /home/mysite/auth/.htgroups/
-−
-−
-. Create the .htpasswd and .htgroups files as explained in the official Apache HowTo, referenced above. (Since you've read the always current and official documentation at Apache.org, we'll spare you the trouble of displaying it again here.)
-−
-. If a .htaccess file already exists in the directory you have chosen, make a backup copy. If the file does not exist, create a new file with that name now. (Don't forget the dot at the beginning of the name.)
-−
-. Add the following code to the .htaccess file. Adjust the example paths (marked in red) as needed for your server. Adjust the group name that you created in step 5 if it differs from the below example.
-−
- AuthUserFile /home/auth/.htpasswd
- AuthGroupFile /home/auth/.htgroups
- AuthType Basic
- AuthName "LWS"
- require group admins
-−
-−
-. Test carefully.
-. Remove all backup .htaccess files from public_http directories.
+# If you are unfamiliar with the Apache htpasswd utility, you may want to read the following link first. Apache Authentication, Authorization, and Access Control
-. If you can not use the Apache htpasswd utility, here's a free, online script that creates the necessary files for you. You'll need to know the user name, password, and path. The script does the rest for you. Note that for more advanced configuration, such as the use of groups, you'll need to edit the resulting files.
+If you can not use the Apache htpasswd utility, here's a free, online script that creates the necessary files for you. You'll need to know the user name, password, and path. The script does the rest for you. Note that for more advanced configuration, such as the use of groups, you'll need to edit the resulting files.
 '''.htaccess Generator:''' http://www.webmaster-toolkit.com/htaccess-generator.shtml