How to Secure Your Admin.php Page With Password

leelipop · June 8, 2010, 12:00am

Hello All,

Here is how to increase your back-office safety:

1 - Connect to your CS-Cart directory with a ftp program (as FileZilla)

2 - Copy your the full path to your CS-Cart directory. In our example:

/usr/www/users/CS-Cart

3 - Download and edit with SciTE your “.htaccess” file

4 - Add this lines in the beginning of your : “.htaccess” file

```php ## password begin ##

AuthUserFile /usr/www/users/CS-Cart/.passwd

AuthName “admin.php”

AuthType Basic

require valid-user

password end ## ```

5 - Save your ".htaccess" file on your server.

6 - Go to:

[url]http://home.flash.net/cgi-bin/pw.pl[/url]

7 - Write an username + password couple. In our Example:

Username: Admin
Password: Admin

[B]However, I recommend another couple of words, or better, a real [URL="http://www.pwcrack.com/passwordgenerator.shtml"]strong password generator[/URL] that is more difficult to hack.[/B]

You can check your password with:

[url]http://www.passwordmeter.com/[/url]

8 - Click on "Encrypt" button

9 - Copy result. In our example:

```php Admin:IrPks1HaxSC0Y ```

10 - With [URL="http://www.scintilla.org/SciTEDownload.html"]SciTE[/URL] create a new file

11 - Paste your username + password result into it (Admin:IrPks1HaxSC0Y).

12 - Save this new file with this name:

```php .passwd ```

13 - Upload this newfile file (.passwd) on your CS-Cart root directory:

```php /usr/www/users/CS-Cart/ ```

This ".passwd" file [B]NEEDS[/B] to be in your CS-Cart [B]ROOT[/B] directory:

```php /usr/www/users/CS-Cart/.passwd ```

14 - Connect to your admin page:

[B]MyWebSite.com/admin.php[/B]

15 - That's it, server should ask you an username + password couple [B]BEFORE[/B] to be able to connect on!

Now it's a [B]LITTLE[/B] bit more difficult to hack your Admin.php!

Lee Li Pop

texasguy · June 8, 2010, 12:00am

From my idea yesterday?

[url]http://forum.cs-cart.com/showpost.php?p=86275&postcount=5[/url]

leelipop · June 9, 2010, 12:00am

Hello TexasGuy,

[quote name=‘TexasGuy’]From my idea yesterday?

[/QUOTE]

Yes, but very few people know how to do, this is why I wrote this “step by step” how to secure access.

Now, I hope every CS-Cart user understand why and how to it’s important to secure their back-office.

This locked access to admin.php and the Chinese password to login to your back-office and the ability to change the “admin.php” name, I think that’s more secure than the basic standard.

Safety first!

That’s important in Life…

Lee Li Pop

texasguy · June 9, 2010, 12:00am

I am totally fine with it, more in the know - the merrier…

Question, why .passwd and not .htpasswd ?

Plus, for .htpasswd there are many on-line generators.

leelipop · June 9, 2010, 12:00am

Hello TexasGuy,

[quote name=‘TexasGuy’]I am totally fine with it, more in the know - the merrier…

Question, why .passwd and not .htpasswd ?

Plus, for .htpasswd there are many on-line generators.[/QUOTE]

Because this one works fine for me and I don’t know any other method…

If you have time, open a new thread or reply below another method.

It seems there is much misunderstanding in the protection of this vital page to the security of a CS-Cart website.

For example, it seems to be a heresy to write in clear the admin.php page into robots.txt file.

OK, I know, many posters here say the opposite:

[url]http://forum.cs-cart.com/showthread.php?t=16357&highlight=/admin.php[/url]

[url]http://forum.cs-cart.com/showthread.php?p=76722#post76722[/url]

[url]http://forum.cs-cart.com/showthread.php?p=78949#post78949[/url]

[url]http://forum.cs-cart.com/showthread.php?p=58241#post58241[/url]

[url]http://forum.cs-cart.com/showthread.php?p=82500#post82500[/url]

For me, it NOT do, ESPECIALLY because it is a free invitation to hackers.

For me, do NOT put admin.php page in clear in robots.txt!

And quite the opposite, you MUST change the name of your admin.php page with this official CS-Cart technique and keep it secret and locked it with .passwd or htpasswd.

Here is for me the real truth about security of this admin.php page.

But that is only my opinion

Lee Li Pop

texasguy · June 9, 2010, 12:00am

I don’t know if I am right but you would also need to set permissions on .passwd file or it can be viewed and hash hacked (since the directory is not fully protected but only one file). .passwrd would be just another TXT file that can be downloaded. I guess you will need to include the .passwd file to be protected by the password too, in this case. That is why password files are usually stored above the root folder.

```php

password begin ##

AuthUserFile /usr/www/users/CS-Cart/.passwd

AuthName “admin.php”

AuthType Basic

require valid-user

require valid-user

password end ##

```

leelipop · June 10, 2010, 12:00am

Hello TexasGuy,

[quote name=‘TexasGuy’]I guess you will need to include the .passwd file to be protected by the password too, in this case. That is why password files are usually stored above the root folder.[/QUOTE]

Wow… Clever

Yes, you can create a new directory above the root folder (/MySecurePasses) and put your .passwd file on.

After, add a .htaccess into this new directory (/MySecurePasses), and set it:

Allow From 1.1.1.1 (My.Own.Private.Website.Or.Server.IP) Deny From all

That’s works fine for me, but…

Am I right?

Lee Li Pop

texasguy · June 10, 2010, 12:00am

I don’t think it makes sense to htaccess a folder above the root. To access that folder usually requires a vulnerability in PHP or other scripting language file… With just “http html” you cannot access the directory since there is no way to reference to it from outside.

Test for [url]http://www.site.com/../secret_folder[/url]

But it shouldn’t work with apache. The only way to access that folder is on the internal server file level with /var/www/blah… type of a global path.

leelipop · June 10, 2010, 12:00am

Hello TexasGuy,

I tried to follow your advice to externalize passwords into a new directory above the root directory.

Could you correct me?

1 - My path looks like:

/usr/www/users/AccountName/CS-Cart/

2 - So I made a new directory (mkdir):

/usr/www/users/AccountName/PassDirectory/

3 - I changed my CS-Cart .htaccess:

```php

Order allow,deny

Deny from all

Satisfy All

password begin ##

AuthUserFile /usr/www/users/AccountName/PassDirectory/.htpasswd

AuthName “admin.php”

AuthType Basic

require valid-user

password end ## ```

4 - Added a new .htaccess in my new /PassDirectory (The directory access is protected itself by a password):

```php

Order allow,deny
Deny from all
Satisfy All

IndexIgnore *
## password begin ##
AuthUserFile /usr/www/users/AccountName/PassDirectory/.passwd
AuthName "Protected"
AuthType Basic

require valid-user

deny from all

## password end ## ```

5 - And finally put my CS-Cart .htpasswd on this new /PassDirectory.

Everything works fine for me.

Lee Li Pop

texasguy · June 10, 2010, 12:00am

Looks great but I still say that puttin .htaccess in /PassDirectory is really an overkill.

leelipop · June 11, 2010, 12:00am

Hello TexasGuy,

[quote name=‘TexasGuy’]Looks great but I still say that puttin .htaccess in /PassDirectory is really an overkill.[/QUOTE]

Or just an “over secured” by an “over worried” people…

In an other hand, read my signature: “Zero hacking attempt on first 10 years… And counting!”

Safety is somewhere between chair and computer screen

Lee Li Pop

texasguy · June 11, 2010, 12:00am

Actually, I believe the proper way is:

“Zero hacking attemptS during first 10 years… And counting!”

leelipop · June 12, 2010, 12:00am

[quote name=‘TexasGuy’]Actually, I believe the proper way is:

“Zero hacking attemptS during first 10 years… And counting!”[/QUOTE] :oops:

Thank you TexasGuy, signature corrected!

Lee Li Pop

texasguy · June 14, 2010, 12:00am

Happy to help.

Just a logical question, how do you know that there were 0 hacking attempts. Not every attempt is evident, it can be very childish but an attempt. What if I tried to hack in but because of my inexperience I was unable to find a vulnerability, yet I might say that I did attempt. If, say, I was a more seasoned hacker, I could have tried to brute force something, it might have been evident after a while that an attempt took place, a more serious attempt. Plus, I am sure someone has scanned port of your machine at some point, one might argue that it was also an automated attempt…

Sorry, it is just my inquisitive nature to ask questions and argue. While it can be great for work, socially it might be a bit daunting.

leelipop · June 14, 2010, 12:00am

Well TexasGuy,

Absolutely, you’re smarter than me. :o

My lack of knowledge is compensated with my lucidity about security, and my right choice to choosing Pair, a very strong web hosting company. With success for 10 year: Please, read again my first post of this thread.

For me an “attempt” piracy is a “successful attempt”, like many subjects on forums:

“My website has been hacked!”.

I don’t know if I can access to the logs at Pair (this don’t worry me). So, I cannot tell you if there had failed hacking attempts on this past decade.

For cons, I can tell you that none of my sites never fell under attacks of a pirate.

To me, security means this:

Having a site that runs safely without worries.

Lee Li Pop