The server hardening process can be a daunting task for someone who’s new to the process, or who’s new to hosting in general. The good news is that there’s one simple way to help reduce attacks on your server, or at least its PHP applications.

If you run an e-commerce site, chances are you run a CMS such as WordPress, and a shopping cart application such as WHMCS. Both of these applications, like nearly all others, have a login module for the administrators. Especially in the case of well-known programs, there are plenty of people know how to find your administrative log in panel, and that includes those with less than honourable intentions.

You can easily give them one more hurdle to leap over before they get to your administrative panel, and attempt to exploit its lost password features, or simply try to gain access with a brute force attack. By setting up an additional username and password for each directory, anyone who needs access will need to successfully by pass that prompt, as well as the administrative prompt.

If you have a control panel such as cPanel, Plesk, or DirectAdmin, this process is automated, but what if you run no control panel? No worries, it’s quite simple.

1.) In your SSH account, as root, navigate to the directory above your public_html folder that contains the folder you want to secure. So, if you want to secure the /store/admin folder on your website, you’d navigate above the public_html folder.

2.) Issue this command:

htpasswd -c .htpasswd [username]


/home/user/admin/domains/ bill

You will then be prompted for a password for “bill”, or whichever username you’ve chosen.

As with any password, ensure that you choose a mixture of uppercase and lowercase letters, numbers, and special characters. Save the file. We have placed it outside of your web-accessible directory in order to prevent hacking or cracking.

Issue this command chmod go+r .htpasswd

This will secure the file.

3.) Navigate to the actual directory you wish to be secured.

4.) Create a file called .htaccess. In it, place this information:

AuthUserFile /full/path/here/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require user webadmin

Issue this command: chmod go+r .htaccess. Note that above, you need to place the full path of the .htpasswd file, next to “AuthUserFile”. If you don’t know this, go back to the path where you edited .htpasswd and then issue the “pwd” command. Or failing that, you can issue the command:

locate .htpasswd

Save the file. At this point, you will need to restart Apache:

apachectl -k restart

You should now have a secured directory, which will require a separate login from whatever login script the application itself has. This will make it harder for a hacker to gain access to your vital applications.