Recently I was asked to set up a small e-commerce website and I wanted to ensure certain directories could only be accessed by those who needed to. One of those pages was phpmyadmin which if brute forced, could cause a lot of damage. Despite having a strong password for phpmyadmin, it only makes sense to hide it further behind a password prompt using .htaccess.
To begin with this was added to the .htaccess file in the directory we wish to protect.
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /location/of/.htpasswd
Require valid-user
After which a .htpasswd file was generated. I chose to generate this file in a directory not accessible to the web.
htpasswd -c /location/of/.htpasswd username_of_choice
At this point you will be prompted to enter a password, and to then repeat that password. This may be repeated for as many users as you require, if more users are added bear in mind the -c switch clears the file each time, so consider removing it for subsequent users.
As always a lot more information on this is available on Apache documentation as well as in your terminal:
man htpasswd
Leave a Reply