Guide Protecting admin.php, the /install directory, and test & development installations using .htaccess

FateKid

DEVIL DID IT

Status

offline

Posts

14,667

Likes

125,855

Resources

3,373

Bits Credits

363

Admin

LEVEL

11

5,910 XP

If you want to provide an extra layer of protection to admin.php, the /install directory, and test & development installations, you can do so with .htaccess authentication.


Protecting admin.php
To protect admin.php, edit the .htaccess file which is in your forum root directory (e.g. /community) and add the following to it:
Code:
<Files admin.php> AuthType Basic AuthName "ACP" AuthUserFile "path/to/passwd/file" Require valid-user </Files>

The "path/to/passwd/file" will look something like "/home/my-domain/.htpasswds/public_html/community/passwd".

Then create a corresponding passwdfile. This is how to do it using cPanel.
  1. Log in to cPanel
  2. Click on Password Protect Directories
  3. Select Web Root
  4. Click on the forum root folder
  5. Check Password protect this directory
  6. Name it as "ACP"
  7. Click Save
  8. Create User
  9. Enter Username
  10. Enter Password
  11. Click on Add/modify authorised user
A passwdfile will be created in /.htpasswds/public_html/<name_of_your_forum_root_folder> .


Protecting the /install directory
To protect the /install directory, create a new .htaccess file in /install and add the following to it:
Code:
AuthType Basic AuthName "Upgrade System" AuthUserFile "path/to/passwd/file" Require valid-user
In this case it is using the same passwdfile as for the ACP so just repeat the steps above to create a different one.


Protecting test and development installations
The XF license terms state that any test and development installations "must be limited to You and Your website staff".
Again, just place the following at the top of the existing .htaccess file in the directory where XF is installed.
Code:
AuthType Basic AuthName "Test Installation" AuthUserFile "path/to/passwd/file" Require valid-user
Set the user and password as explained above.
With it set at the root, it isn't necessary to set it for admin.php and the /install directory.


Using IP address based protection instead of passwd
You can also use IP address protection instead of a passwdfile. In which case you would just have this in the .htaccess file for admin.php:
Code:
<Files admin.php> Order Deny,Allow Deny from all Allow from 127.0.0.1 </Files>

And this for the /install directory:
Code: Order Deny,Allow Deny from all Allow from 127.0.0.1

Replace 127.0.0.1 with your actual IP address. You can find out your IP address here.
Additional allowed IP addresses can be added on a new line.

If you have a static IP address then this approach is fine. If it's dynamic however, you will need to constantly update the file every time it changes.
 

Status

offline

Posts

49

Likes

83

Resources

3

Bits Credits

0

LEVEL

0

120 XP

This is also, work. But, it's very strictly on IP

Code:
<Files admin.php>
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^xxx\.xx\.x\.x
RewriteCond %{REMOTE_HOST} !^x\.x\.x\.x
RewriteCond %{REMOTE_HOST} !^x\.x\.x\.x
RewriteCond %{REQUEST_URI} !/index\.php$
RewriteRule .* /index.php [R=302,L]
</Files>
 

Status

offline

Posts

8

Likes

10

Bits Credits

0

LEVEL

0

95 XP

This is also, work. But, it's very strictly on IP

Code:
<Files admin.php>
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^xxx\.xx\.x\.x
RewriteCond %{REMOTE_HOST} !^x\.x\.x\.x
RewriteCond %{REMOTE_HOST} !^x\.x\.x\.x
RewriteCond %{REQUEST_URI} !/index\.php$
RewriteRule .* /index.php [R=302,L]
</Files>
so this mod rewrite can protect my site from sql injection
 
Liked by:

FateKid

DEVIL DID IT

Status

offline

Posts

14,667

Likes

125,855

Resources

3,373

Bits Credits

363

Admin

LEVEL

11

5,910 XP

so this mod rewrite can protect my site from sql injection
This wouldn't protect your entire system install from SQL attacks, we'd recommend setting up a complex firewall for that; however, it will add a layer of protection by restricting access to your administrative sections of your website from potential malicious users.
 

Status

offline

Posts

8

Likes

10

Bits Credits

0

LEVEL

0

95 XP

This wouldn't protect your entire system install from SQL attacks, we'd recommend setting up a complex firewall for that; however, it will add a layer of protection by restricting access to your administrative sections of your website from potential malicious users.
thank you for asnwer <3 do you have any idea about other protection
 
Liked by:

FateKid

DEVIL DID IT

Status

offline

Posts

14,667

Likes

125,855

Resources

3,373

Bits Credits

363

Admin

LEVEL

11

5,910 XP

thank you for asnwer <3 do you have any idea about other protection
Sure thing! I always recommend to utilize CloudFlare or FluxCDN (depending on your county location) to quickstart protections.
Use origin SSL protection, with firewall rules to protect and configure blocks and restrictions to incoming traffic based on your personal preferences.
 

Status

offline

Posts

8

Likes

10

Bits Credits

0

LEVEL

0

95 XP

Sure thing! I always recommend to utilize CloudFlare or FluxCDN (depending on your county location) to quickstart protections.
Use origin SSL protection, with firewall rules to protect and configure blocks and restrictions to incoming traffic based on your personal preferences.
Wow, I didn't expect the admins to respond this quickly
Post automatically merged:

I like this forum, I'm new to this forum, but you respond so fast
 

Status

offline

Posts

8

Likes

10

Bits Credits

0

LEVEL

0

95 XP

This is also, work. But, it's very strictly on IP

Code:
<Files admin.php>
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^xxx\.xx\.x\.x
RewriteCond %{REMOTE_HOST} !^x\.x\.x\.x
RewriteCond %{REMOTE_HOST} !^x\.x\.x\.x
RewriteCond %{REQUEST_URI} !/index\.php$
RewriteRule .* /index.php [R=302,L]
</Files>
btw FateKid does it work it is placed in htaccess
 
Liked by:

FateKid

DEVIL DID IT

Status

offline

Posts

14,667

Likes

125,855

Resources

3,373

Bits Credits

363

Admin

LEVEL

11

5,910 XP

btw FateKid does it work it is placed in htaccess
To my knowledge, this is not out-of-the-box. You'll need to configure the code to replace X.X etc with your designated IP address/s
 
Liked by:

Bees?

(っ◔◡◔)っ ♥ Bees? Bees. ♥

Status

offline

Posts

900

Likes

8,798

Resources

938

Bits Credits

9

Admin

LEVEL

10

3,380 XP

To my knowledge, this is not out-of-the-box. You'll need to configure the code to replace X.X etc with your designated IP address/s
This is guidance lol
 

Latest threads

Forum statistics

Threads
53,978
Messages
84,028
Members
50,595
Latest member
pcgamerzbg
Top Bottom