How To: Lock Your Site by Enabling a Second Layer of Authentication

I put together a post this weekend about my personal experience installing a WordPress site on a clean Server. In the process of hardening the administration panel I found myself doing something that I don’t see discussed much – enabling Basic Access Authentication.

That got me thinking about a putting together this post which will help educate our readers on a quick and easy method that can help add a second layer of authentication to their own administrative panels. What’s great about this is it can be applied to any web application that is running on an Apache HTTP Server, those platforms include:

  • WordPress
  • Joomla
  • Drupal
  • osCommerce
  • and more…

Basic Access Authentication


This in itself will not secure your website, it should be seen as a complimentary tool only. Your ideal configuration will include:

IP Filtering + .HTACCESS Authentication + CMS Authentication

In its purest form, it’s nothing more than an easy way to add a required username and password when making a request to a directory on the web server. Your web server being where the files for your website live. This authentication would be required before the server responds to the browser with the requested information. It’s important to note however that the information is passed in the clear, unless coupled with SSL/TLS.

If you’re looking to apply something similar but want to do so securely, then you will want to look at using Digest Access Authentication. If this was the only authentication scheme I was using, I would recommend Digest Access Authentication, but as it’s complimenting my existing tools, I’m ok with Basic.

Implementing Basic Access Authentication

You can find a very good write up that walks you through the process of setting it up by reading the Apache Authentication, Authorization and Access Control page.

I’ll summarize here for those not interested in reading through all the noise:

Step 1. Create Password File

The thing to note here is you want to create the password file outside of the web directory. You can do so by using the built in password utility that comes with Apache – htpasswd. You do so by running this command via terminal:

$ htpasswd -c [path to file]/[file name] [user]

This will prompt you for a password and ask you to confirm it:

New password: [enter password]
Re-type new password: [reenter password]
Adding password for user [user name you selected]

Note: Remember to save the path and file name of the password file, you’ll need it in the next step.

Step 2. Apply The Authentication

With that file and the credentials created you can now add the directives to .htaccess. The thing to remember here is not to put it at the root of your web directory unless your intention is to block access to your entire site. Instead, be selective and use it only in places where you want to add a second layer of authentication. A good place to start is in the directory housing all your administration files.

You will add the following to your .htaccess file in those directories of interest:

AuthType Basic
AuthName “Restricted Files”
AuthUserFile [path to password file]/[name of password file]
Require user [user name created]

If you’re curious what each directive is doing, here it is:

  • AuthType – selects method used to authenticate user
  • AuthName – sets the realm in which the rule is applied
  • AuthUserFile – sets the path to the password file you just created
  • Require – sets the authorization part and passes the user to authenticate

Wrapping It Up

If you followed the steps above, along with some of the other recommendations around filtering by IP’s and Domains, then you’ve added a second layer of authentication and greatly reduced the risk of being exploited through your website administrator panel.


If you have any questions around the things discussed in this post please email us at info@sucuri.net.

Scan your website for free:
About Tony Perez

I'm a technologist with a passion for the Information Security domain. I am especially interested in malware reverse engineering, incident handling and response as well as offensive counter measures. Catch my personal rants on tonyonsecurity.com and follow on twitter at perezbox.

  • Gaurav

    how do i set the pw in my html5 website