Secure adminhtml with directory protection
In this tutorial I show how to secure adminhtml with directory protection. This is a very simple task to enhance security. Most Magento shops are under attack and a shop owner or a developer responsible for this shop doesn’t even know. With clever brute force attacks on adminhtml login no warnings are shown and with easy passwords, you may get hacked.
Secure adminhtml with directory protection
I already showed how to detect and prevent brute force attacks by ip address blocks. A simple, but effective solution to prevent those attacks is to activate directory protection for adminhtml login page. If you are on a Apache web server, you simply have to create a .htpasswd file with your login credentials and change your Magento .htaccess file to use this .htpasswd file.
Create .htpasswd file
For this you can use any online tool. You can also create this login credentials by yourself with:
1 | htpasswd -c /tmp/.htpasswd username |
you may need to install appropriate Linux package with htpasswd tool. On my system this was:
1 | sudo apt-get install apache2-utils |
for my sample data username/password, this generates a .htpasswd file with following content:
1 | username:$apr1$VAhtPaO1$R0aAdTjaZoeN3s.hrLSvW/ |
Update .htaccess file
Next you need to update Magento .htaccess file. You need to add some lines of code to set basic-auth with .htpasswd file. A simple basic-auth for a directory or file is simple. Sadly, Magento login is no real directory or file, it is based on redirection (mod_rewrite). But with some SetEnvIf statements we can set it to every rewrite string we want.
First comment out “Order allow,deny” and “Allow from all” around line 190 in you .htaccess file. We do not want everyone gets access everywhere:
1 2 3 4 5 | ############################################ ## By default allow all access #Order allow,deny #Allow from all |
Then add the following at the end of the file:
1 2 3 4 5 6 7 8 9 10 11 12 13 | SetEnvIf Request_URI ^.*/admin.* require_auth=true SetEnvIf Request_URI ^.*/downloader.* require_auth=true AuthType basic AuthName "Private" AuthUserFile .htpasswd Order deny,allow Deny from all Satisfy any Require valid-user Allow from env=!require_auth |
With SetEnvIf statements, you define all rewrites you want to secure. A good start is admin and downloader. If you changed admin backend url, you can change it here too. Based on you web server configuration, you may need to add absolute path to your .htpasswd file. This configuration works on all Apache web servers, even if you are on a shared hoster and have no access to web server configuration.
Multiple users
If you want to use more than one adminhtml directory protection user, simply copy generated line from .htpasswd files to one file: one user per line.
Conclusion
It is very easy to secure adminhtml with directory protection or web server basic authentication. With this cheap and fast addition, it is nearly impossible to brute force attack a Magento login. Feel free to use it.
Do you have any thoughts on that? Does it work with your shop?
