xenForo - Protect admin.php link with a password

pwnd08

Programmer
Messages
223
Points
348
Hello,

Here is how to secure the admin.php link with htpasswd which requires a login and password.

First, go here
You have to be logged in to view links Log in or register now.
- Create an htpasswd password

This site believes you htpasswd

Let's take for example:

- Log in: admin
- Password: admin
19cdf10888b4b9d88a502aa0f7b3ac67.png


Here is the result:
64e07b1fbfd6eae39e0136da6de8d036.png


On your FTP to the root create a new .htpasswd file named

Inside put the result of the place.

Add this to your .htaccess

<Admin.php files>
AuthType Basic
AuthName "XenForo Panel"
AuthUserFile "/ home / the FTP / www user or public_html / .htpasswd"
Require user valid
</ Archives>
 
S

SeriousHD-

Guest
Good tutorial, that's how we protect our admin panel :y:! :grinning: + an IP protection.
I would not recommend using this actually. His method is outdated and very unsecure. Message me for the full explanation, but this would make the security virtually useless. Just a heads up, as that could be a tip in the wrong direction.
 
S

SeriousHD-

Guest
Hello,

Here is how to secure the admin.php link with htpasswd which requires a login and password.

First, go here
You have to be logged in to view links Log in or register now.
- Create an htpasswd password

This site believes you htpasswd

Let's take for example:

- Log in: admin
- Password: admin
View attachment 767

Here is the result:
View attachment 768

On your FTP to the root create a new .htpasswd file named

Inside put the result of the place.

Add this to your .htaccess

<Admin.php files>
AuthType Basic
AuthName "XenForo Panel"
AuthUserFile "/ home / the FTP / www user or public_html / .htpasswd"
Require user valid
</ Archives>
This is a very bad way to secure your site. I would flag this for removal, but it doesnt technically break rules. Long story short, using MD5 for your hash with 0 salt (or hell even with salt) can be enough to have an entire database compromised in a few hours.
 

CabCon

Head Administrator
Staff member
Head Staff Team
Messages
4,197
Points
553
I would not recommend using this actually. His method is outdated and very unsecure. Message me for the full explanation, but this would make the security virtually useless. Just a heads up, as that could be a tip in the wrong direction.
Yes, that's the reason why we are also using a IP protection. :smile:
 
S

SeriousHD-

Guest
Yes, that's the reason why we are also using a IP protection. :grinning:
Well even through the IP Protection... I can resolve your IP address still, and I can request resources as well. If you are using anything less than SHA256 (which is also questionable) your databases are insecure.
 
Top