.htpasswd protect Magento’s Admin

Posted in Magento by B00MER

Magento Commerce

It appears the French Magento community whom originally offered a fix to the exploit found in Magento agree’s with my reply.  I mentioned the ideal solution would be to fix the bug in a official release from Magento, change your admin’s path and also utilizing Apache’s .htpasswd and adding a second layer of password protection to Magento’s Backend to help prevent any other future exploits of backend functionality of Magento.

http://www.magentocommerce.com/boards/viewthread/33671/P15/#t110850

Since I can’t read french, here’s a BabelFish translation with a walk through on how to add Apache password protection to your Magento admin:

Translation result for http://www.wikigento.com/?p=458.

Here a solution of the house, in 3 stages, which functions of continuation if you have the means of modifying the adjustments of your VirtualHost Apache or to make it make by your shelterer. (Of head, but that should go under the majority of Linux, with Shell root)

 

Stage 1:

CTRL+C (to copy) of what there is below:

<LocationMatch “/admin” >
AuthUserFile /var/www/htdocs/.htpasswd
AuthType BASIC
AuthName “Magento Backoffice Login”
Require valid-to use
</LocationMatch>

<LocationMatch “/downloader” >
AuthUserFile /var/www/htdocs/.htpasswd
AuthType BASIC
AuthName “Magento Backoffice Login”
Require valid-to use
</LocationMatch>

Insert Ca in the configuration of the virtualhost of your site (for example)
cat >> /etc/apache2/sites-available/magento

CTRL+V (to stick)
CTRL+D (that stop the seizure in the file and saves it)

Replace /var/www/htdocs/.htpasswd by the good way of your site and /etc/apache2/sites-available/magento by the way towards the file of virtualhost of your site.

To be able to do it in .htaccess would have been the ideal because even without being root on the machine, you could patcher the problem on your mutualized lodging, but… The directive “LocationMatch” does not function in .htaccess… :- ( 

 

Stage 2:

Create a file .htpasswd:
htpasswd – C /var/www/htdocs/.htpasswd backoffice
chown root.root /var/www/htdocs/.htpasswd
chmod 644 /var/www/htdocs/.htpasswd 

The program requires a password of you, put in decent. (at least 8 characters including two special) and idem, replace by the good way for the site, the chown and the chmod puts reasonable rights on this file htpasswd.

 

Stage 3:

Start again Apache: /etc/init.d/apache2 restart

(a reload is enough can be besides, I do not know more)

Checking:

Turn over to your Admin, should have a window to you which requires a login & a step of you, use the login backoffice and the password which you typed. Not to make “retain my password” in your browser.

PS: Do not forget that in the conf of apache (generally /etc/apache2/apache2.conf) there must be that:

<Files ~ “^ \ .ht” >
Order allow, deny
Deny from all
</Files>

To prevent that one can download your files .htaccess and .htpasswd (this Ca says is there by defect normally)

Possibly Related Posts:


03Mar2009

About B00MER

What’s in a name other than a label attached to the things we’ve created and done for ubiquity... What is Molotov.bliss?

View all posts by B00MER →

This entry was posted on 03/03/2009 in Magento and tagged , , , , ,
  • Fuck

    your english is SHIT

  • Anonymous

    Gee, how insightful of you. u00a0I guess you didn’t bother to actually read the top portion of the article either and realize its a Babelfish translation from French. u00a0Captain obvious.