Can no more access backend with .htpasswd

[asifak]

Would anyone be kind enough to guide me here !!

My site with Joomla 1.5.23 has been working for last 2 years, and has installed .htaccess and .htpasswd in the administrator directory. Idea is that when anyone access backend then the webpage ask a username and password. Hence, providing dual protection. If login is successful then Joomla standard Login page appears

It was working fine. I have not done any thing on this, and now I can no more access backend. When I enter username / password then blank page appears. If I remove following from the .htaccess then Joomla standard Login page appears; it seems that some thing is wrong with the .htpasswd system.
*******************
AuthUserFile /var/www/vhosts/domain.com/httpdocs/administrator/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user username
***********************
I had tried giving it another password then it tells that password is wrong, which shows that .htpasswd login is working but somehow it is not directing to Joomla Login page.

Anyhelp ??

[itoctopus]

Enable error reporting (set it to "Maximum") on your Joomla site to see what the error is (there must be a fatal error somewhere).

It might be that something in your environment changed or your website is hacked (it's Joomla 1.5.23 so it's extremely exploitable).

[PhilD]

This is a little late but....

AuthUserFile /var/www/vhosts/domain.com/httpdocs/administrator/.htpasswd

Location: It is a good idea to put the .htpasswd file outside of your web accessible documents. Keep it out of your htdocs, www, and public_html folders. This is a security measure. Most web servers are configured to not allow people to remotely view your .htpasswd file, but it never hurts to keep it out of the web tree.

Yours is inside of your administrator directory which is presumably for Joomla. Someone could have hacked the site and changed the password/username.

I suggest you delete what you have and use the servers htpasswd file generator (usually found in the domains control panel) to properly generate the file and place it in the proper place on the domain.

Also, while not a bad idea, protecting the administrator directory by the additional password request will only help prevent getting in the administrator end via brute force password guessing. It does nothing to stop getting into a site via an insecure extension or by an outdated core install. It basically has to do with how servers work and what is trusted and not trusted. Internal requests are generally trusted external requests generally not.

[asifak]

Hello PhilD,

Thanks for your reply.
Situation is that Site may not had been hacked. if I change .htaccess and remove the .htpasswd portion then Login screen of Joomla appears and I can login. If I use .htaccess with .htpasswd then blank webpage appears. Before this problem, it was fine and everything was working ok.
I have Virtual Linux CentoS Server using Parallel Plesk. I could not understand your suggestion of generating password from domain control panel. I cannot find it.
Looking for your reply.

[PhilD]

I don't use Plesk so can not answer directly but what I have provided below should be accurate and work. If not ask your technical support for assistance.

I would first remove any .htaccess file from the administrator directory you may have already so that it does not interfere with properly making the files from the control panel as described below.

Plesk and Parallells Plesk allow the creation of password protected directories. You can create one of these password protected directories by the following.

Log in to the Plesk administrative panel
Select domains on the left side navigation panel
Control Panel next to the domain iyou want to create the password protection in
Choose Websites and Domains
Click Show Advanced Operations
Choose Password-Protected Directories.
Select Add Protected Directory. Enter in the directory name, physical location and title of the protected directory and click OK.
You must specify the physical path* to the directory that you wish to password protect (administrator) in the Directory name box.

• *This can be any directory existing in your site, for example: /private. If the directory that you would like to protect has not yet been created, specify the path and the directory name – Parallels Plesk Panel will create it for you. In your case the administrator directory was created by Joomla so all you should have to do is supply the directory name and maybe the physical path if name alone does not work.

Once the directory is added, select the directory. This will allow you to set a user and password to access the directory.
Click Add New User and enter in the username, secure password, and then confirm the password, and click OK.

The admin directory should now be secured and when viewed in a browser, a password prompt will appear and will only allow those user(s) with proper access to continue on to the Joomla administrator login and you will now have the htpasswd file located in the proper place for your domain and a .htaccess file in the administrator directory with the proper commands and info in it to use the htpasswd file.



If you have access to a ssh login you can create the htpasswd file by using the command line. There are examples on how to do this on Google, but it falls under the category of advanced website domain management. In other words you have to know what you are doing or you could create more issues than you solve.

At no time should the htpasswd file be located within any publicly accessible directory such as www, public_html, htdocs, or whatever your host has named the public area(s) of the domain. To do so is like parking your car on the street and leaving the keys on the hood of the car.