.htaccess on /catalog/admin folder?

**jusluv2ski** · 10-10-2009, 06:53 PM

The Install directions state to password protect the /catalog/admin folder using the .htaccess file and .htpasswd file.

Not having luck with this.

Is this needed though? If so, that means i have to sign in twice when logging in to the admin section? first to have access to admin folder and 2nd to login to the admin side of oscmax. just seems odd.

if its needed, i'm all for it. but a little help with the .htaccess file. per instructions, i added this to the top of the .htaccess file:

AuthType Basic
AuthName "Locked Area"
AuthUserFile /home/youraccount/.htpasswds/admin/passwd
require valid-user

Second i added this line --> user: password
to an .htpasswd file.

isn't that all i need to do? what does the "AuthUserFile" need to be? maybe i have that wrong. I changed mine to "/.htpasswds". that is where my .htpasswd file is. /.htpasswds/.htpasswd

thanks!

Justin

**ridexbuilder** · 10-11-2009, 02:31 AM

Whilst not absolutely necessary, it is a VERY good idea to password protect your admin directory (as well as renaming it). Unless of course, you don't mind hackers getting into your site.

Having spent a few hours repairing a hacked site

, last week, I can categorically say that it IS a worthwhile thing to do.

Password protection is easy to implement via cPanel.
Example of an auto-generated .htaccess in the "newadmin" directory

Code:

AuthType Basic
AuthName "newadmin"
AuthUserFile "/home/account/.htpasswds/public_html/catalog/newadmin/passwd"
require valid-user

And the corresponding /home/account/.htpasswds/public_html/catalog/newadmin/passwd

Code:

user: aBYtNpWdb

[Fictitious, showing a made up user and MD5 password ]

EJ

**michael_s** · 10-11-2009, 06:08 AM

A better way is to do limit access by IP or domain. That will eliminate the need to login two times, and will not allow any access to anyone else.

Just google ".htaccess limit by ip"

**ridexbuilder** · 10-11-2009, 07:50 AM

Well seeing "The Boss" ain't a user of UK's version of AOHell, with the dynamic IP addresses (they fluctuate by the minute, let alone on next net usage).

Needless to say, I don't use 'em.

Now restrict by domain... I like that idea... goes off to Google.

**jusluv2ski** · 10-11-2009, 11:03 AM

Thanks for the help guys. I will look into the different options for the future. For the mean time, i set it up through cpanel. works like a charm.

I was going to rename the folder "admin" to something else, but got an error when doing so. Seems there is a pointer to login.php that is looking for /admin/login.php. again, i will investigate this later. i feel alright about leaving it admin as long as it is password protected. I had a feeling just remaining the folder wasn't all that was involved, but thought i would give it a shot.

Thanks!