Secure your server with htaccess

Martin Brinkmann
Mar 31, 2008
Updated • Nov 29, 2012
Development
|
2

I apologize if this topic drifts a bit away from the usual ones you find here at ghacks but I thought it would be extremely useful for everyone who has a server or webspace that supports htaccess and htpasswd. Htaccess files can do much more than just secure a directory on your server or website but I want to concentrate on this topic because it is something that I have been using on some of my websites for a very long time to increase security.

I use it mainly to secure certain directories on my websites from being accessed without the proper authorization. This is the admin directory in the case of WordPress for instance but could also be used to secure a directory that hosts some valuable files.

I would like to point out two possibilities that secure a directory with .htacess. The first is to protect the directory by only allowing users with a certain IP or IP range access to it. Everyone else would receive an access denied error message.

The second possibility would be to create usernames and passwords that have to be supplied before accessing the content.

IP Protection:

Create a .htaccess file and add the following code to it:

AuthName "Protected Content"
AuthType Basic

order deny,allow
deny from all
#Comment
allow from 255.255.255.255

Change the IP address in the last line to the one used by the user / users. You can use wildcards * if the user is receiving dynamic IPs from his ISP. It is possible to add as many allow from lines to the .htaccess file as you want. Place that htaccess file in the directory that you want to protect. (all subdirectories are affected as well.

The problem with this kind of protection is twofold. If your IP changes, say you are on holiday or accessing from a different location, you need to add or change the IPs in the htaccess code. Users who happen to have a IP of that range can access the content without problems. This is usually a user from the same ISP.

A more secure protection is the basic auth protection.

Password Protection:

Whenever a user tries to access a directory or file a popup will appear asking the user for a username and password. This method requires two files, a htaccess file and a htpasswd file. The htpasswd file stores the usernames and encrypted passwords and should be placed outside of the root directory of the website.

AuthName "Restricted Area"
AuthType Basic
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
require valid-user

Since the passwords are encrypted you need to use a script to do that. A working one is the htpasswd Content Generator. Just enter a username and password and click on encrypt. Paste the line on the results page into the htpasswd file and place it exactly in the path that you specified in AuthUserFile.

It is possible to combine both protections for added security. I would begin by evaluating if your webhost is allowing those kind of files.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Topper said on April 3, 2008 at 2:59 pm
    Reply

    Must be in other order:
    AuthName “Protected Content”
    AuthType Basic

    order allow,deny

    #Comment
    allow from 255.255.255.255
    deny from all

    Apache stop after first match – if this is Deny, this will be forbid for ever

    Also is suitable “allow from 192.168.0 (last octet from network will be permited)

    BUT .htaccess are useful – you must prefer rules in httpd.conf because in .conf is MUCH MUCH faster !

  2. Tobey said on April 1, 2008 at 12:16 pm
    Reply

    Thanks for a nice tip Martin.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.