Protecting admin.php and the install directory using .htaccess

Protecting admin.php and the install directory using .htaccess

CabCon

Active member
Hello @Brogan,
I used Using IP address based protection instead of passwd on my website and it works perfect <3 Thank you! Now I setup SSL (https) and now it won't work anymore. Everytime I try to access my admin.php it deny the access despite that the correct IP is in the htaccess file. Do you know where this problem is caused?

Regards,
CabCon.

EDIT: fixed
 
Last edited:

Chernabog

Well-known member
Not bad but i recommend using this one! ( works good )
Code:
<Files admin.php>
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^120\.0\.0\.1
RewriteCond %{REMOTE_HOST} !^123\.45\.56\.789
RewriteCond %{REQUEST_URI} !/index\.php$
RewriteRule .* /index.php [R=302,L]
</Files>
that way rather then giving the person and error, it just redirects them back to the home page.... :)

please "Like" if you use! :)

@Martyn I guess the remote_host IPs need to be modified? I am trying to figure out a way to successfully secure my XF2 install and I don't see any add-ons for security unfortunately. When you do this, what @Brogan documented for example with creating a password file...does it then ask you for that secondary password when trying to access ACP or the /install directory?

As I sit here restoring 38K files over top my existing XF Installation because of a sudden wonky ton of healthcheck file issues and unexpected content across the board :( ..I am just trying to figure out best practices to secure what I can ...as I try to drill down and find out where the vulnerability existed so I can let whomever may benefit from it to know.
 

Chernabog

Well-known member
I am going to try that also....there's no way that someone can view the passworld file from the outside if they know absolute paths?
 

sixlxvi

Well-known member
@Brogan is all of this info still up to date to work today with XF2?

Does 2FA in XF2 require you to use 2FA for admin.php on computers you haven't used before?
 

spyralout

Member
Is this suggested for live forum installs, and if so, which directories so it doesn't impede on regular forum traffic and the user experience? I would likely duplicate it for the test environment that is being set up by my hosting company.
 

Brogan

XenForo moderator
Staff member
Yes, it's for production sites.

For test/dev installations, you can do it at the root so it covers the entire site.
 

nicodak

Well-known member
Hello i have no cPanel on my host so it is ok to use .htpasswd to access my ACP ?
I tried but i have a ISE 500 after :(

this is my .htaccess
Code:
AuthName "ACP XenForo"
AuthType Basic
AuthUserFile /lamp0/web/vhosts/cocoriweb.community/htdocs/xyz/.htpasswd
AuthGroupFile /dev/null
<Files admin.php>
require valid-user
</Files>
the .htpasswd
Less:
Myname:mypassword

When i reach the admin.php page i have a pop-up asking me login/pwd but after clicking OK button i'v got the Internal Server Error 500
 

Black Tiger

Active member
Using .htaccess does not have anything to do with having cPanel or not.
However, it might be on some Nginx configurations that certain .htaccess entry's won't work.

In your .htaccess you've something to much.
Remove this line
Code:
</Files>

Because I don't see a <Files admin.ph> or something similar in your .htaccess this end line may cause the error 500.
Next to that, when using a .htaccess with a .htpasswd you don't need the Files statement.

As for the .htpasswd you have to create your password with the htpasswd executable or via an online script, it's nust just that you can edit the .htpasswd and enter a password you like in there. It's encrypted.
 

Brogan

XenForo moderator
Staff member
@nicodak try this:

Code:
<Files admin.php>
AuthType Basic
AuthName "ACP XenForo"
AuthUserFile /lamp0/web/vhosts/cocoriweb.community/htdocs/xyz/.htpasswd
AuthGroupFile /dev/null
require valid-user
</Files>

If it still throws a 500 error then check the server error log.
 

nicodak

Well-known member
Because I don't see a <Files admin.ph> or something similar in your .htaccess this end line may cause the error 500.
There is

////
AuthName "ACP XenForo"
AuthType Basic
AuthUserFile /lamp0/web/vhosts/cocoriweb.community/htdocs/xyz/.htpasswd
AuthGroupFile /dev/null
<Files admin.php>
require valid-user
</Files>
////

As for the .htpasswd you have to create your password with the htpasswd executable or via an online script, it's nust just that you can edit the .htpasswd and enter a password you like in there. It's encrypted.
I did it here
 
Top