Tip: Protect your admin area with .htaccess

[michael]

Been reading a lot of stuff on the forums about exploitation, and while I realize this method will not secure every script or fix every hole, it does add a level of security that otherwise would not exist.

Insecure passwords as well as key loggers can both be to blame for many websites to become exploited. These two issues, however, can be easily solved (at least, from the web end - a weak FTP password renders this method almost completely useless) by using .htaccess to restrict access to the admin areas to specific IPs.

I see IP restriction much more secure, but it isn't meant for everyone. If your IP address changes frequently, then this will (clearly) not be a rock-solid solution for you. However, if you can rely on your IP address to be the same for extended periods of time, then this will secure the most important area of your website: The admin area.

This is the file I use in my admin-area folders. It must be named ".htaccess" (no quotes; with the dot/period at the beginning).

Code:

<Files ~>
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xx.xx
</Files>

Of course, you replace the x's with your IP address.

I see this as the most secure method to protect your website from defacing and exploitation, as most of the files that have the real power are located in there. This way, even if someone knows your password, their effect on your website is relatively limited.

If your IP address is prone to changing, you can use an (in my opinion) less secure authentication method from cPanel. From the "Password Protected Directories" icon in cPanel, you can give folders username/password protection. This is only as secure as the password you provide, but a general tip is to use a username that you wouldn't normally use (especially not one that's publicly displayed on your website). This will add an additional security level that will make gaining control over your website a considerable bit more difficult.