1 - Connect to your CS-Cart directory with a ftp program (as FileZilla)
2 - Copy your the full path to your CS-Cart directory. In our example:
/usr/www/users/CS-Cart
```<br />
<br />
3 - Download and edit with [URL="http://www.scintilla.org/SciTEDownload.html"]SciTE[/URL] your ".htaccess" file<br />
<br />
4 - Add this lines in the [U]beginning[/U] of your : ".htaccess" file<br />
<br />
```php
## password begin ##<br />
AuthUserFile /usr/www/users/CS-Cart/.passwd<br />
AuthName "admin.php"<br />
AuthType Basic<br />
<Files "admin.php"><br />
require valid-user<br />
</Files><br />
## password end ##
```<br />
<br />
5 - Save your ".htaccess" file on your server.<br />
<br />
6 - Go to:<br />
<br />
[url]http://home.flash.net/cgi-bin/pw.pl[/url]<br />
<br />
7 - Write an username + password couple. In our Example:<br />
<br />
Username: Admin<br />
Password: Admin<br />
<br />
[B]However, I recommend another couple of words, or better, a real [URL="http://www.pwcrack.com/passwordgenerator.shtml"]strong password generator[/URL] that is more difficult to hack.[/B]<br />
<br />
You can check your password with:<br />
<br />
[url]http://www.passwordmeter.com/[/url]<br />
<br />
8 - Click on "Encrypt" button<br />
<br />
9 - Copy result. In our example:<br />
<br />
```php
Admin:IrPks1HaxSC0Y
```<br />
<br />
10 - With [URL="http://www.scintilla.org/SciTEDownload.html"]SciTE[/URL] create a new file<br />
<br />
11 - Paste your username + password result into it (Admin:IrPks1HaxSC0Y).<br />
<br />
12 - Save this new file with this name:<br />
<br />
```php
.passwd
```<br />
<br />
13 - Upload this newfile file (.passwd) on your CS-Cart root directory:<br />
<br />
```php
/usr/www/users/CS-Cart/
```<br />
<br />
This ".passwd" file [B]NEEDS[/B] to be in your CS-Cart [B]ROOT[/B] directory:<br />
<br />
```php
/usr/www/users/CS-Cart/.passwd
```<br />
<br />
14 - Connect to your admin page:<br />
<br />
[B]MyWebSite.com/admin.php[/B]<br />
<br />
15 - That's it, server should ask you an username + password couple [B]BEFORE[/B] to be able to connect on!<br />
<br />
Now it's a [B]LITTLE[/B] bit more difficult to hack your Admin.php!<br />
<br />
<br />
Lee Li Pop
I don’t know if I am right but you would also need to set permissions on .passwd file or it can be viewed and hash hacked (since the directory is not fully protected but only one file). .passwrd would be just another TXT file that can be downloaded. I guess you will need to include the .passwd file to be protected by the password too, in this case. That is why password files are usually stored above the root folder.
[quote name=‘TexasGuy’]I guess you will need to include the .passwd file to be protected by the password too, in this case. That is why password files are usually stored above the root folder.[/QUOTE]
Wow… Clever
Yes, you can create a new directory above the root folder (/MySecurePasses) and put your .passwd file on.
After, add a .htaccess into this new directory (/MySecurePasses), and set it:
Allow From 1.1.1.1 (My.Own.Private.Website.Or.Server.IP)
Deny From all
I don’t think it makes sense to htaccess a folder above the root. To access that folder usually requires a vulnerability in PHP or other scripting language file… With just “http html” you cannot access the directory since there is no way to reference to it from outside.
Just a logical question, how do you know that there were 0 hacking attempts. Not every attempt is evident, it can be very childish but an attempt. What if I tried to hack in but because of my inexperience I was unable to find a vulnerability, yet I might say that I did attempt. If, say, I was a more seasoned hacker, I could have tried to brute force something, it might have been evident after a while that an attempt took place, a more serious attempt. Plus, I am sure someone has scanned port of your machine at some point, one might argue that it was also an automated attempt…
Sorry, it is just my inquisitive nature to ask questions and argue. While it can be great for work, socially it might be a bit daunting.
My lack of knowledge is compensated with my lucidity about security, and my right choice to choosing Pair, a very strong web hosting company. With success for 10 year: Please, read again my first post of this thread.
For me an “attempt” piracy is a “successful attempt”, like many subjects on forums:
“My website has been hacked!”.
I don’t know if I can access to the logs at Pair (this don’t worry me). So, I cannot tell you if there had failed hacking attempts on this past decade.
For cons, I can tell you that none of my sites never fell under attacks of a pirate.