Password protect administrator directory on cPanel 404

[mraab]

This issue was discussed before but I encountered an additional issue:

When password protecting the administrator directory (Joomla 3.3) on cPanel I do get a 404 error when accessing the backend. Another post suggests to replace the following line in .htaccess

Code: Select all

RewriteRule .* index.php [L]

with

Code: Select all

RewriteRule ./ /index.php [L]

This works fine for the secured administrator directory. The 404 error disappears.
However, I do get a 404 error on all other frontend menu items except the home page.

Does anyone had the same issue? This is apparently an apache configuration issue. Any advice is much appreciated.

Thanks, Matthias

[Per Yngve Berg]

Forget about it. If you need more security, use the two factor authorisation.

[mraab]

Thanks for your reply. I am aware of two factor authorisation and and my question was how to password protect a directory without getting 404 errors.

[RedEye]

Does anyone had the same issue? This is apparently an apache configuration issue. Any advice is much appreciated.

Never had this issue, but I am not using CPanel. Changing the .htaccess in J! root folder shouldn't be necessary I would say.
Did you test to create the pw protection yourself?
.htaccess for administrator folder:

Code: Select all

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /full-path/to/.htpasswd
Require valid-user

.htpasswd user: test - pwd: test

Code: Select all

test:dGRkPurkuWmW2

[Per Yngve Berg]

Put a h.taccess file in the administrator folder. The frontend uses some libraries in administrator. You have let those pass.

[RedEye]

Put a h.taccess file in the administrator folder. The frontend uses some libraries in administrator. You have let those pass.

If the frontend uses anything from the admin folder what a .htaccess auth would block I would consider it as a bug or bad design and it should be fixed

[mraab]

Ok, I tested the password protection manually by placing a .htaccess file in the administrator directory and linked to the password file. The same error. As soon as I have the directory password protected the backend access returns a 404 error and the browser is not even asking for username and password.

[mraab]

My .htaccess file in the root directory is the renamed htaccess.txt file with on modification to rewrite the URL to http://www.URL.

Code: Select all

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]

These lines have no effect on the PW protection issue, I took them out and tested this. Everything else is unaltered.

[Bernard T]

Please try this: take a fresh htaccess.txt file from J!3.3.3 package file, and put it in place of old .htaccess - don't change anything in it.
Then go to cPanel and try password protecting /administrator folder (it should put .htaccess/htpasswd in /administrator folder).

[bobysolo]

I had the same problem and I checked on the same server the differences in .htaccess files from different pages, where on some the password protection worked and on some it didn't.

The only difference I found between .htaccess files was this line, which was removed from latest versions of Joomla packages:

Code: Select all

RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]

Now, I don't know if it's good that this line is removed or why it was removed, but when I add it back to the .htaccess file in the root of the webpage, it works. No more 404 errors in the administrator directory.

[ehoward]

I installed Joomla 3.3.4 on a new account 9/23/14. I always password protect the administrator directory, so set the permissions from my host CPanel. I have never had to edit .htaccess to accommodate this.

“When a user accesses the protected directory through the web, they will be prompted to enter a username and password.” On 9/29/14, instead of getting that prompt, I got an error message: 404 - Category not found.

I looked for hosting problems and Joomla problems. I called my host, but the support person was baffled. I upgraded Joomla to 3.3.5 on 9/30/14, then upgraded to 3.3.6 on 10/2/14. I still can’t access the backend of Joomla while the administrator directory is protected..

Is this a hosting issue or a Joomla issue?

[ehoward]

This is how my host solved the problem.
Upon review of this matter, it seems that the default joomla .htaccess rules were conflicting with the password protection. I had to disable the following rules in public_html/.htaccess in order to make this work.

Code: Select all

# RewriteBase / 
## Begin - Joomla! core SEF Section. 
# 
#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] 
#
 # If the requested path and file is not /index.php and the request 
# has not already been internally rewritten to the index.php script 
#RewriteCond %{REQUEST_URI} !^/index\.php
 # and the requested path and file doesn't directly match a physical file 
#RewriteCond %{REQUEST_FILENAME} !-f 
# and the requested path and file doesn't directly match a physical folder
 #RewriteCond %{REQUEST_FILENAME} !-d 
# internally rewrite the request to the index.php script 
#RewriteRule .* index.php [L] 
# 
## End - Joomla! core SEF Section. 

[rich1]

If you are password protecting your administration directory, that is where both .htaccess and .htpasswd should be placed.
Normal cPanel® paths:

htaccess:

Code: Select all

AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /home/username/public_html/ifAddOnDomain/administrator/.htpasswd 
AuthGroupFile /dev/null 
require valid-user

htpasswd:

Code: Select all

username:password

Use this link:
http://winfoes.co.uk/how-to-joomla/joom ... el-backend
You will find additional joomla admin security ideas and htpasswd generators.


If you are using cPanel, the Admins for your host may have disabled direct directory protection through htaccess, however through your cPanel you can password protect your admin directory with the Security/'Password Protect Directories' feature.

You may see the above code for htaccess as:

Code: Select all

# DO NOT REMOVE THIS LINE AND THE LINES BELOW PWPROTECTID:SrTNvQ
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/username/public_html/ifAddOnDomain/administrator/.htpasswd
Require user username
# DO NOT REMOVE THIS LINE AND THE LINES ABOVE SrTNvQ:PWPROTECTID

Also of note to all those who have never used cPanel®.
CPanel or Cpanel are not the same as cPanel®.
These are different licensed hosting solutions and should not be confused with each other.
See:
http://cybercapital.co.uk/website-hosti ... el-hosting
for further info and definition!

[kg]

I had the same problem and I checked on the same server the differences in .htaccess files from different pages, where on some the password protection worked and on some it didn't.

The only difference I found between .htaccess files was this line, which was removed from latest versions of Joomla packages:

Code: Select all

RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]

Now, I don't know if it's good that this line is removed or why it was removed, but when I add it back to the .htaccess file in the root of the webpage, it works. No more 404 errors in the administrator directory.

I had the same problem and after having tested lots of different solutions I tested this and it works for some reason.
That is fine, but since the line is stripped out by Joomla I guess there is a reason for it and would appreciate comments on this or ideas regarding what the real issue is for getting 404's on password protected directories when running Joomla 3.3.x

The tested installation runs on a server with Apache/2.4.10 and PHP 5.4.33

[aintnosaint]

Hi Folks,
I also have this issue, only turning of the PW protection works for me. Is Tw-Factor Authentication sufficient by itself?

[Per Yngve Berg]

Two-Factor Authentication is better than Password Protected Folder, as it cannot be Brute Force Attacked. If it's good enough for a bank, it should be good enough for you.

[JAVesey]

Why not use both TFA and a surrogate path to the /administrator folder?

I doubt that there's anything easier to set up/use that AdminExile (for a unique path to /administrator and Brute Force protection) combined with Joomla's own TFA.

Works well in my experience.

[Yiannistaos]

Hello,

Edit your .htaccess file in the administrator folder and add this

Code: Select all

AuthName "Authorisation Required"
AuthUserFile "/home/acc/.htpasswds/public_html/administrator/passwd"
AuthType Basic
require valid-user
ErrorDocument 401 "Authorisation Required"

.

[Croc]

This worked for me
After:

Code: Select all

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Add:

Code: Select all

RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]

[chytons]

Hello,

Edit your .htaccess file in the administrator folder and add this

Code: Select all

AuthName "Authorisation Required"
AuthUserFile "/home/acc/.htpasswds/public_html/administrator/passwd"
AuthType Basic
require valid-user
ErrorDocument 401 "Authorisation Required"

.

This worked for me.
Thanks

[Yiannistaos]

You're welcome, chytons

[whaines]

I added the "Admin Tools" Joomla Extension (by Akeeba); no problems with the install.
I then used their PASSWORD PROTECT ADMINISTRATOR tool:
This feature will password-protect your administrator area using .htaccess files.

It tells you If your administrator area becomes inaccessible, please remove the .htaccess and .htpasswd files from the administrator directory using FTP or your host's File Manager.

My admin area did become inaccessible. Now getting "404 - Category not found" so I can't log in to the back end of my site from the Joomla Admin log in.

When I go to my administrator directory I can not see the files
.htaccess and .htpasswd in order to remove them.

I'm running Joomla 3.4.1. Can someone please assist?

[Yiannistaos]

Whaines,

have you tried this solution here: http://forum.joomla.org/viewtopic.php?u ... A#p3266125 ?

[xbonize]

Hello,

Edit your .htaccess file in the administrator folder and add this

Code: Select all

AuthName "Authorisation Required"
AuthUserFile "/home/acc/.htpasswds/public_html/administrator/passwd"
AuthType Basic
require valid-user
ErrorDocument 401 "Authorisation Required"

.

It works. Thank you very much!

[Yiannistaos]

You're welcome, xbonize

[leolam]

For all here: This has nothing to do with the default .htaccess file. It is caused by a server that is not correct configured. Please read what Nicholas of Akeeba replied on the Github and he is completely right. It is good for those who can solve this issue through changes in the htaccess file but they should not be needed in the first place.

Leo

[Bernard T]

For those who don't want to read through bugtracker reports, like I did, the problem is that cPanel has defined a custom HTTP Response 401 error HTML document (the one that should display nicer designed error messages) but the file doesn't exist.

This is why in such situation adding

Code: Select all

ErrorDocument 401 "Authorisation Required"

to your Htaccess file is needed, so that it will only display message "Authorisation Required" instead of trying to display non-existing file. It just overrides Cpanel misconfiguration described above.

[seefa]

Mr. BernardT your description was complete to understand why this problem happened after read all this post.
Croc's solution and others, had result for me too but last solution was logical.
Thank you everybody to share your knowledge

[stefaniasail]

Thanks everyone! In my case the error was showing because of another .htaccess in a directory. Issue is resolved now.

[topwebs]

If you create a custom 401 error page in CPanel, then you do not need to alter the .htaccess file and the Cpanel protected directory works correctly.