Password Protect Your Website Admin Area

Security

Over the last few years, our websites have been subject to regular attacks. One of the most common attacks was sending bots to repeatedly attempt to login to our admin area. Some of the attacks were severe enough to slow or crash our website.

We’ve stopped those attacks from happening by creating an additional layer of security for our admin areas.

We keep hackers out of your admin area is to create an additional username and password via a file called htpasswd. That extra password screen prevents the bots from reaching our admin login and has eliminated problems with repeated login attempts.

This tutorial will show you how to do that in three easy steps. Let’s get started.

1) Navigate to Your Admin Area

Use your host’s file manager or FTP to access the admin folder of your website. For example:

  • Joomla’s folder is /administrator
  • WordPress’ folder is /wp-admin

2) Create .htpasswd

In your admin folder, create a .htpasswd file with the following contents:

  • YourSecretUsername:YourSecretPassword

Replace the above username and password with any that you’d like.

3) Create .htaccess

Create a .htaccess file and add the following code to it:

{codecitation}AuthUserFile “/home/username/public_html/administrator/.htpasswd”
AuthName “Restricted Area”
AuthType Basic
require valid-user
RewriteEngine On
RewriteRule \.htpasswd$ – [F,L] {/codecitation}

In the above code, switch /home/username/public_html/administrator to your host’s full path to your admin folder.

4) Additional Step for Drupal

If you’re using Drupal, you’ll need to do an additional step:

  • Install the Global Redirect module to force all URLs to the clean SEF URLs, so that your password protection can’t be by-passed.

That’s it. Now check your admin area and you should be prompted for the additional username and password.

media_1400071207802.png

Instructor

  • Nick is the Director of Support at OSTraining and you can find him in almost every area of the site, from answering support requests and account questions to creating tutorials and software.

0 0 votes
Blog Rating
Subscribe
Notify of
13 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Laszlo

Admin Tools extension from Akeeba can do these steps instead of you in Joomla (even the free version).

You do not have to edit the files manually, only provide username and password in the administration area.

refinedwooddesigns

I understand that creating the .htpasswd and .htaccess files further help with admin security but how does that help with bot attacks that slow or crash the site?

steve

Hi Michael
Good question – I’ve added a note of clarification to the blog.
Repeated attempts against the admin login will strain the site’s database and server.
However, the extra login is just stored in a flat file and so create much less stress.
Plus, bots are very familiar with the WP and Joomla login screens, but likely confused by the .htpasswd login screen.

Omnia

In drupal, where to place the password file? no place for admin path like joomla

Vinoth Barnabas

You can prevent web crawler or bots from targeting specific areas of the domain by declaring it in a file called robots.txt at the root folder.
The content of the robots file will be similar to this
User-agent: *

Disallow: /p/

Disallow: /r/

Disallow: /bin/

Disallow: /includes/

Michael Lavrik

you can use admin tools to get a password setup on the admin area. here is a tutorial [url=https://www.interserver.net/tips/kb/how-to-password-protect-admin-area-in-joomla/]https://www.interserver.net…[/url]

TheTails Labs

Thanks! Nice protection but is this the best?

Edirin Michael Aphunu

i tried it but i cant login in, its always displaying the login page

cstech

Hello Nick Savov,
Thanks for your tuto.
I try to set this under Joomla 3.8.5
Unfortunately after setting I get 404 error page

Any help

13
0
Would love your thoughts, please comment.x
()
x