A web site that is powered by a CMS (Content Management System) is a beautiful thing. But, it can also be a target of hackers and other undesirables.

While no web site is truly impervious to attack, webmasters need to take every precaution available, preferably utilizing layered protection. One option available to sites hosted on a Linux/Apache platform is the .htaccess file. If used properly, it will really give your site an additional layer of protection.

In this post, I will be speaking about the way to specifically use the .htaccess file to block access to the CMS portion of your site, for example the /wp-admin folder of your WordPress blog. If an outsider gained access to that, you could really be up the creek – so we want to block unauthorized access.

First – the Disclaimer

.Htaccess CautionIf you don’t know what an .htaccess file is – stop reading now. These files are powerful and are not for noobs. If you do know what these files are, use the following information at your own risk. If you are on a Microsoft IIS web server – stop reading now as I am not going to cover how to do this on a Windows server, but you can Google it for youself.

What We Are Going to Do

This tip will show you how to block ALL IP addresses except the ones that you put on the “approved” list. This means that you should think about any computer(s) that you want to provide with access. Remember, this could also include other writers and blog contributors you have helping you. If a computer tries to access the CMS but their IP address is not on the “approved” list, they will be blocked and given the “Error 403 Forbidden” message.

Here We Go…

The first step is to get the IP addresses of your computer and any that you want to grant access. If you don’t know your computer’s IP address, you can visit this link to get it. Make a note of the IP address.

Now, open Notepad++ or whatever basic text editor you use and start a new document with this content:


# use this to block access to the site administration section
# IMPORTANT – place in the directory that contains your admin information
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Example Access Control”
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from ENTER YOUR COMPUTER’S IP ADDRESS HERE
allow from SECOND APPROVED IP ADDRESS HERE
</LIMIT>

Save that file as .htaccess with no file extension.

Upload the .htaccess file to the directory on your web server that contains all your Admin stuff. In WordPress, that directory would be /wp-admin, for example.

IMPORTANT: DO NOT put this file on the root level of your website or you will be the only one that can see your website. Make sure to place it in the directory that handles your web site’s Administration information. That will keep most of the bad guys from snooping around. But, in reality, if someone wants in, they will find a way.

Testing it Out

Get someone on a different IP address to try to access to your Admin directory. If they get the “403 Forbidden” message but you can access it with no problem, that means your .htaccess file is doing its job. Just make sure to completely test it out before you call it a day.

And remember – if you are not comfortable with .htaccess files, do not try this. Leave a comment asking for some assistance or do some research on your own before attempting.

This is somewhat of an advanced .htaccess post.

Advertisements