Password protect administrator directory on cPanel 404

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
User avatar
mraab
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 123
Joined: Sat Dec 30, 2006 12:28 pm
Location: Melbourne, Australia
Contact:

Password protect administrator directory on cPanel 404

Post by mraab » Sun Sep 14, 2014 10:52 am

This issue was discussed before but I encountered an additional issue:

When password protecting the administrator directory (Joomla 3.3) on cPanel I do get a 404 error when accessing the backend. Another post suggests to replace the following line in .htaccess

Code: Select all

RewriteRule .* index.php [L]
with

Code: Select all

RewriteRule ./ /index.php [L]
This works fine for the secured administrator directory. The 404 error disappears.
However, I do get a 404 error on all other frontend menu items except the home page.

Does anyone had the same issue? This is apparently an apache configuration issue. Any advice is much appreciated.

Thanks, Matthias

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25683
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Password protect administrator directory on cPanel 404

Post by Per Yngve Berg » Sun Sep 14, 2014 11:52 am

Forget about it. If you need more security, use the two factor authorisation.

User avatar
mraab
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 123
Joined: Sat Dec 30, 2006 12:28 pm
Location: Melbourne, Australia
Contact:

Re: Password protect administrator directory on cPanel 404

Post by mraab » Sun Sep 14, 2014 8:23 pm

Thanks for your reply. I am aware of two factor authorisation and and my question was how to password protect a directory without getting 404 errors.

RedEye
Joomla! Ace
Joomla! Ace
Posts: 1460
Joined: Sat Jan 21, 2006 8:42 pm

Re: Password protect administrator directory on cPanel 404

Post by RedEye » Mon Sep 15, 2014 12:22 am

mraab wrote:Does anyone had the same issue? This is apparently an apache configuration issue. Any advice is much appreciated.
Never had this issue, but I am not using CPanel. Changing the .htaccess in J! root folder shouldn't be necessary I would say.
Did you test to create the pw protection yourself?
.htaccess for administrator folder:

Code: Select all

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /full-path/to/.htpasswd
Require valid-user
.htpasswd user: test - pwd: test

Code: Select all

test:dGRkPurkuWmW2

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25683
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Password protect administrator directory on cPanel 404

Post by Per Yngve Berg » Mon Sep 15, 2014 5:12 am

Put a h.taccess file in the administrator folder. The frontend uses some libraries in administrator. You have let those pass.

RedEye
Joomla! Ace
Joomla! Ace
Posts: 1460
Joined: Sat Jan 21, 2006 8:42 pm

Re: Password protect administrator directory on cPanel 404

Post by RedEye » Mon Sep 15, 2014 6:30 pm

Per Yngve Berg wrote:Put a h.taccess file in the administrator folder. The frontend uses some libraries in administrator. You have let those pass.
If the frontend uses anything from the admin folder what a .htaccess auth would block I would consider it as a bug or bad design and it should be fixed ;)

User avatar
mraab
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 123
Joined: Sat Dec 30, 2006 12:28 pm
Location: Melbourne, Australia
Contact:

Re: Password protect administrator directory on cPanel 404

Post by mraab » Mon Sep 15, 2014 8:43 pm

Ok, I tested the password protection manually by placing a .htaccess file in the administrator directory and linked to the password file. The same error. As soon as I have the directory password protected the backend access returns a 404 error and the browser is not even asking for username and password.

User avatar
mraab
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 123
Joined: Sat Dec 30, 2006 12:28 pm
Location: Melbourne, Australia
Contact:

Re: Password protect administrator directory on cPanel 404

Post by mraab » Mon Sep 15, 2014 8:54 pm

My .htaccess file in the root directory is the renamed htaccess.txt file with on modification to rewrite the URL to http://www.URL.

Code: Select all

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} !^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
These lines have no effect on the PW protection issue, I took them out and tested this. Everything else is unaltered.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect administrator directory on cPanel 404

Post by Bernard T » Mon Sep 15, 2014 10:51 pm

Please try this: take a fresh htaccess.txt file from J!3.3.3 package file, and put it in place of old .htaccess - don't change anything in it.
Then go to cPanel and try password protecting /administrator folder (it should put .htaccess/htpasswd in /administrator folder).
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
bobysolo
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Fri Sep 15, 2006 2:16 pm
Contact:

Re: Password protect administrator directory on cPanel 404

Post by bobysolo » Tue Sep 30, 2014 7:35 pm

I had the same problem and I checked on the same server the differences in .htaccess files from different pages, where on some the password protection worked and on some it didn't.

The only difference I found between .htaccess files was this line, which was removed from latest versions of Joomla packages:

Code: Select all

RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
Now, I don't know if it's good that this line is removed or why it was removed, but when I add it back to the .htaccess file in the root of the webpage, it works. No more 404 errors in the administrator directory.

User avatar
ehoward
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Mon Sep 19, 2005 9:22 pm

Re: Password protect administrator directory on cPanel 404

Post by ehoward » Thu Oct 02, 2014 5:34 pm

I installed Joomla 3.3.4 on a new account 9/23/14. I always password protect the administrator directory, so set the permissions from my host CPanel. I have never had to edit .htaccess to accommodate this.

“When a user accesses the protected directory through the web, they will be prompted to enter a username and password.” On 9/29/14, instead of getting that prompt, I got an error message: 404 - Category not found.

I looked for hosting problems and Joomla problems. I called my host, but the support person was baffled. I upgraded Joomla to 3.3.5 on 9/30/14, then upgraded to 3.3.6 on 10/2/14. I still can’t access the backend of Joomla while the administrator directory is protected..

Is this a hosting issue or a Joomla issue?

User avatar
ehoward
Joomla! Apprentice
Joomla! Apprentice
Posts: 21
Joined: Mon Sep 19, 2005 9:22 pm

Re: Password protect administrator directory on cPanel 404

Post by ehoward » Fri Oct 03, 2014 9:45 pm

This is how my host solved the problem.
Upon review of this matter, it seems that the default joomla .htaccess rules were conflicting with the password protection. I had to disable the following rules in public_html/.htaccess in order to make this work.

Code: Select all

# RewriteBase / 
## Begin - Joomla! core SEF Section. 
# 
#RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] 
#
 # If the requested path and file is not /index.php and the request 
# has not already been internally rewritten to the index.php script 
#RewriteCond %{REQUEST_URI} !^/index\.php
 # and the requested path and file doesn't directly match a physical file 
#RewriteCond %{REQUEST_FILENAME} !-f 
# and the requested path and file doesn't directly match a physical folder
 #RewriteCond %{REQUEST_FILENAME} !-d 
# internally rewrite the request to the index.php script 
#RewriteRule .* index.php [L] 
# 
## End - Joomla! core SEF Section. 

User avatar
rich1
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 190
Joined: Sun Apr 05, 2009 2:17 am
Location: London SE
Contact:

Re: Password protect administrator directory on cPanel 404

Post by rich1 » Sat Oct 04, 2014 6:10 pm

If you are password protecting your administration directory, that is where both .htaccess and .htpasswd should be placed.
Normal cPanel® paths:

htaccess:

Code: Select all

AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /home/username/public_html/ifAddOnDomain/administrator/.htpasswd 
AuthGroupFile /dev/null 
require valid-user
htpasswd:

Code: Select all

username:password
Use this link:
http://winfoes.co.uk/how-to-joomla/joom ... el-backend
You will find additional joomla admin security ideas and htpasswd generators.


If you are using cPanel, the Admins for your host may have disabled direct directory protection through htaccess, however through your cPanel you can password protect your admin directory with the Security/'Password Protect Directories' feature.

You may see the above code for htaccess as:

Code: Select all

# DO NOT REMOVE THIS LINE AND THE LINES BELOW PWPROTECTID:SrTNvQ
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/username/public_html/ifAddOnDomain/administrator/.htpasswd
Require user username
# DO NOT REMOVE THIS LINE AND THE LINES ABOVE SrTNvQ:PWPROTECTID
Also of note to all those who have never used cPanel®.
CPanel or Cpanel are not the same as cPanel®.
These are different licensed hosting solutions and should not be confused with each other.
See:
http://cybercapital.co.uk/website-hosti ... el-hosting
for further info and definition!
If you have no 'Coeur de Lion' do not ask why you fail.

kg
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Fri Apr 28, 2006 7:50 pm

Re: Password protect administrator directory on cPanel 404

Post by kg » Mon Oct 20, 2014 7:16 pm

bobysolo wrote:I had the same problem and I checked on the same server the differences in .htaccess files from different pages, where on some the password protection worked and on some it didn't.

The only difference I found between .htaccess files was this line, which was removed from latest versions of Joomla packages:

Code: Select all

RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
Now, I don't know if it's good that this line is removed or why it was removed, but when I add it back to the .htaccess file in the root of the webpage, it works. No more 404 errors in the administrator directory.
I had the same problem and after having tested lots of different solutions I tested this and it works for some reason.
That is fine, but since the line is stripped out by Joomla I guess there is a reason for it and would appreciate comments on this or ideas regarding what the real issue is for getting 404's on password protected directories when running Joomla 3.3.x

The tested installation runs on a server with Apache/2.4.10 and PHP 5.4.33

aintnosaint
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Dec 27, 2014 5:12 am

Re: Password protect administrator directory on cPanel 404

Post by aintnosaint » Sat Dec 27, 2014 5:31 am

Hi Folks,
I also have this issue, only turning of the PW protection works for me. Is Tw-Factor Authentication sufficient by itself?

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25683
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Password protect administrator directory on cPanel 404

Post by Per Yngve Berg » Sat Dec 27, 2014 8:54 am

Two-Factor Authentication is better than Password Protected Folder, as it cannot be Brute Force Attacked. If it's good enough for a bank, it should be good enough for you.

User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2018
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: Password protect administrator directory on cPanel 404

Post by JAVesey » Mon Dec 29, 2014 4:23 pm

Why not use both TFA and a surrogate path to the /administrator folder?

I doubt that there's anything easier to set up/use that AdminExile (for a unique path to /administrator and Brute Force protection) combined with Joomla's own TFA.

Works well in my experience.
John V
Cardiff, Wales, UK
Uses Joomla 3.9.8

User avatar
Yiannistaos
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 145
Joined: Sat Aug 08, 2009 11:37 am
Contact:

Re: Password protect administrator directory on cPanel 404

Post by Yiannistaos » Tue Feb 10, 2015 6:36 pm

Hello,

Edit your .htaccess file in the administrator folder and add this

Code: Select all

AuthName "Authorisation Required"
AuthUserFile "/home/acc/.htpasswds/public_html/administrator/passwd"
AuthType Basic
require valid-user
ErrorDocument 401 "Authorisation Required"
.
Last edited by alikon on Wed Feb 11, 2015 5:52 am, edited 1 time in total.
Reason: external link removed
https://www.web357.com/ - Useful Extensions for Joomla!

User avatar
Croc
Joomla! Apprentice
Joomla! Apprentice
Posts: 48
Joined: Mon Nov 17, 2008 10:20 pm
Location: Greece
Contact:

Re: Password protect administrator directory on cPanel 404

Post by Croc » Mon Mar 30, 2015 12:41 pm

This worked for me
After:

Code: Select all

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
Add:

Code: Select all

RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
http://web-expert.gr/en - Joomla Hosting & Extensions

chytons
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sat Apr 20, 2013 7:13 pm

Re: Password protect administrator directory on cPanel 404

Post by chytons » Fri Apr 03, 2015 12:21 am

Yiannistaos wrote:Hello,

Edit your .htaccess file in the administrator folder and add this

Code: Select all

AuthName "Authorisation Required"
AuthUserFile "/home/acc/.htpasswds/public_html/administrator/passwd"
AuthType Basic
require valid-user
ErrorDocument 401 "Authorisation Required"
.
This worked for me.
Thanks

User avatar
Yiannistaos
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 145
Joined: Sat Aug 08, 2009 11:37 am
Contact:

Re: Password protect administrator directory on cPanel 404

Post by Yiannistaos » Fri Apr 03, 2015 1:45 am

You're welcome, chytons ;)
https://www.web357.com/ - Useful Extensions for Joomla!

whaines
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Apr 16, 2015 9:21 pm
Location: Canada

Re: Password protect administrator directory on cPanel 404

Post by whaines » Thu Apr 16, 2015 9:54 pm

I added the "Admin Tools" Joomla Extension (by Akeeba); no problems with the install.
I then used their PASSWORD PROTECT ADMINISTRATOR tool:
This feature will password-protect your administrator area using .htaccess files.

It tells you If your administrator area becomes inaccessible, please remove the .htaccess and .htpasswd files from the administrator directory using FTP or your host's File Manager.

My admin area did become inaccessible. Now getting "404 - Category not found" so I can't log in to the back end of my site from the Joomla Admin log in.

When I go to my administrator directory I can not see the files
.htaccess and .htpasswd in order to remove them.

I'm running Joomla 3.4.1. Can someone please assist?

User avatar
Yiannistaos
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 145
Joined: Sat Aug 08, 2009 11:37 am
Contact:

Re: Password protect administrator directory on cPanel 404

Post by Yiannistaos » Fri Apr 17, 2015 9:22 am

Whaines,

have you tried this solution here: http://forum.joomla.org/viewtopic.php?u ... A#p3266125 ?
https://www.web357.com/ - Useful Extensions for Joomla!

User avatar
xbonize
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Tue Feb 28, 2012 3:04 pm

Re: Password protect administrator directory on cPanel 404

Post by xbonize » Tue Apr 21, 2015 7:20 am

Yiannistaos wrote:Hello,

Edit your .htaccess file in the administrator folder and add this

Code: Select all

AuthName "Authorisation Required"
AuthUserFile "/home/acc/.htpasswds/public_html/administrator/passwd"
AuthType Basic
require valid-user
ErrorDocument 401 "Authorisation Required"
.
It works. Thank you very much! :o

User avatar
Yiannistaos
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 145
Joined: Sat Aug 08, 2009 11:37 am
Contact:

Re: Password protect administrator directory on cPanel 404

Post by Yiannistaos » Tue Apr 21, 2015 7:37 am

You're welcome, xbonize ;)
https://www.web357.com/ - Useful Extensions for Joomla!

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 19530
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Password protect administrator directory on cPanel 404

Post by leolam » Sun May 03, 2015 6:14 am

For all here: This has nothing to do with the default .htaccess file. It is caused by a server that is not correct configured. Please read what Nicholas of Akeeba replied on the Github and he is completely right. It is good for those who can solve this issue through changes in the htaccess file but they should not be needed in the first place.

Leo 8)
Joomla's #1 Professional Support Provider:
-> Joomla Professional Support: https://gws-desk.com -
-> Joomla Specialized Hosting Solutions: https://gws-host.com -
-> Joomla Webmaster Services: gws-webmaster.services

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Password protect administrator directory on cPanel 404

Post by Bernard T » Sun May 03, 2015 12:00 pm

For those who don't want to read through bugtracker reports, like I did, the problem is that cPanel has defined a custom HTTP Response 401 error HTML document (the one that should display nicer designed error messages) but the file doesn't exist.

This is why in such situation adding

Code: Select all

ErrorDocument 401 "Authorisation Required"
to your Htaccess file is needed, so that it will only display message "Authorisation Required" instead of trying to display non-existing file. It just overrides Cpanel misconfiguration described above.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

seefa
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Sat Jan 24, 2015 4:51 pm
Location: Iran
Contact:

Re: Password protect administrator directory on cPanel 404

Post by seefa » Sun May 10, 2015 6:27 pm

Mr. BernardT your description was complete to understand why this problem happened after read all this post.
Croc's solution and others, had result for me too but last solution was logical.
Thank you everybody to share your knowledge

stefaniasail
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon May 11, 2015 6:52 pm
Location: New York
Contact:

Re: Password protect administrator directory on cPanel 404

Post by stefaniasail » Tue May 12, 2015 9:42 am

Thanks everyone! In my case the error was showing because of another .htaccess in a directory. Issue is resolved now.

User avatar
topwebs
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 211
Joined: Wed Sep 06, 2006 1:14 pm
Location: St Louis, MO
Contact:

Re: Password protect administrator directory on cPanel 404

Post by topwebs » Wed Jun 10, 2015 2:30 am

If you create a custom 401 error page in CPanel, then you do not need to alter the .htaccess file and the Cpanel protected directory works correctly.
Dan Walker - Web Designer & Developer @ Top Webs Network
Custom Joomla & Wordpress Websites
www.TopBusinessWebsites.com
www.TopChurchWebsites.com


Locked

Return to “Security in Joomla! 3.x”