Password Protect Your Website Admin Area
Over the last few years, our websites have been subject to regular attacks. One of the most common attacks was sending bots to repeatedly attempt to login to our admin area. Some of the attacks were severe enough to slow or crash our website.
We’ve stopped those attacks from happening by creating an additional layer of security for our admin areas.
We keep hackers out of your admin area is to create an additional username and password via a file called htpasswd. That extra password screen prevents the bots from reaching our admin login and has eliminated problems with repeated login attempts.
This tutorial will show you how to do that in three easy steps. Let’s get started.
1) Navigate to Your Admin Area
Use your host’s file manager or FTP to access the admin folder of your website. For example:
- Joomla’s folder is /administrator
- WordPress’ folder is /wp-admin
2) Create .htpasswd
In your admin folder, create a .htpasswd file with the following contents:
- YourSecretUsername:YourSecretPassword
Replace the above username and password with any that you’d like.
3) Create .htaccess
Create a .htaccess file and add the following code to it:
AuthUserFile “/home/username/public_html/administrator/.htpasswd”
AuthName “Restricted Area”
AuthType Basic
require valid-user
RewriteEngine On
RewriteRule \.htpasswd$ – [F,L]
In the above code, switch /home/username/public_html/administrator to your host’s full path to your admin folder.
4) Additional Step for Drupal
If you’re using Drupal, you’ll need to do an additional step:
- Install the Global Redirect module to force all URLs to the clean SEF URLs, so that your password protection can’t be by-passed.
That’s it. Now check your admin area and you should be prompted for the additional username and password.
Admin Tools extension from Akeeba can do these steps instead of you in Joomla (even the free version).
You do not have to edit the files manually, only provide username and password in the administration area.
Hi Laszlo,
Thanks for your comment! I’m sure it will be helpful to others.
You’re right. We use Admin Tools at OSTraining and have lessons for it in our Joomla Security class ([url=http://www.ostraining.com/courses/class/joomla/security)]http://www.ostraining.com/c…[/url].
However, for this tutorial we wrote it in a generic way that would be applicable to all websites.
I understand that creating the .htpasswd and .htaccess files further help with admin security but how does that help with bot attacks that slow or crash the site?
Hi Michael
Good question – I’ve added a note of clarification to the blog.
Repeated attempts against the admin login will strain the site’s database and server.
However, the extra login is just stored in a flat file and so create much less stress.
Plus, bots are very familiar with the WP and Joomla login screens, but likely confused by the .htpasswd login screen.
Hi Michael,
Generally, it eliminates an attack vector. However, check if your host has CSF enabled and, if so, ask them to enable detection of htpassword login failures.
Additionally, you could set the htaccess file to deny all IP addresses, except your own:
order deny,allow
deny from all
allow from 127.0.0.1
Switch 127.0.0.1 to your IP.
That should eliminate Denial of Service (DoS) attacks to the administrator.
In drupal, where to place the password file? no place for admin path like joomla
You can prevent web crawler or bots from targeting specific areas of the domain by declaring it in a file called robots.txt at the root folder.
The content of the robots file will be similar to this
User-agent: *
Disallow: /p/
Disallow: /r/
Disallow: /bin/
Disallow: /includes/
Hi Vinoth,
The tutorial is for security, rather than for search engines.
you can use admin tools to get a password setup on the admin area. here is a tutorial [url=https://www.interserver.net/tips/kb/how-to-password-protect-admin-area-in-joomla/]https://www.interserver.net…[/url]
Thanks! Nice protection but is this the best?
Yes, because it blocks requests at the server level before the website even loads. Therefore, it saves on processing and provides full security for the admin portion of the site.
i tried it but i cant login in, its always displaying the login page
Hello Nick Savov,
Thanks for your tuto.
I try to set this under Joomla 3.8.5
Unfortunately after setting I get 404 error page
Any help