Best way to password-protect a folder?

[BernardBlack]

What is the best guys you know of password-protecting a folder (say /admin so that your users can't change stuff).

I heard you can do it with .htaccess or php and mysql or something, is there a simple method?

Thanks for your support

[GolfVN]

.htaccess is really simple with cpanel

[Caleb]

Look in cPanel for the button that says "Password Protest Directories"

[BernardBlack]

Thanks

So, having that there, does that make the folder secure? How hard would it be to hack into it? And it protects all files / subfolders in that directory?

Thanks a lot

[homoludens]

Simple htaccess authorization is vulnerable to Brute Force methods. Two things to consider on that front:

(i) use (really) long passwords that contain no dictionary words;
(ii) don't use admin (or similar) as a username and don't use admin (or similar) as the directory name. Yes, this is "security through obscurity" but an acceptable uses thereof. It will reduce the probability of brute force methods succeeding / happening at all.

I guess there are many automated tools out there for scanning for 401 Authorization Required headers (the first step in a Brute Force attack).

This article discusses a way to mitigate that using an apache module although I wouldn't like to comment on how easy it is to implement.

Basic Auth is transmitted in plain text so it is vulnerable to Man In The Middle attacks. You may want to consider Digest Authentication.

There are other more cunning attacks out there, particularly on shared servers, but only time will tell how popular they become as vectors. These attacks are all XSS-based, so to mitigate them, code with XSS in mind, and keep all third party code up to date.

There are probably more ways to circumvent htaccess which depend on software bugs. My advice would be to subscribe to something like the Secunia newsletter and take a proactive and ongoing interest in your site's security. And never sleep again.

Basically, nothing is 100% secure, but if you use strong passwords, filter user input correctly, and keep software up to date you'll be most of the way there.

[Vin DSL]

What is the best guys you know of password-protecting a folder...

Personally, I like cookie auth!

And, here's a cute little trick...

http://www.lenon.com/admin.php

If you just want to protect certain files from others:

Code:

# Protect files from direct execution, except from your IP  - VinDSL (Lenon.com)
<FilesMatch "(auth|admin|banners|config|config.inc|footer|header|mainfile)\.php$">
  Order Deny,Allow
  Deny from all
  Allow from 123.45.0.0/16
</FilesMatch>

[BernardBlack]

"What is the best guys you know of..." oops, I don't think I was concentrating, I mean't "Hey guys, what is the best way of..."

Yea, it will just be to protect a cms for photoshop tutorials, I'll be backing my server's stuff up every now and then, so it shouldn't be too much of an issue, it's not FBI high security, hehe.

That cPanel password should be sufficient. I was thinking of making a different folder for added security, but I don't think it would be worthwhile, I'll just make a complex username and password, I'll see how I go, more things to remember.

Thanks for the information and posts guys