Securing the admin part of the site is always tricky, especially for open source software CMS. A very good practice is to protect your admin directory with an extra .htaccess, because most of the damages has been done from exploits of the applications rather than brute force cracking.
There are many articles how to set up .htaccess authentication on Apache web server, but here I will explain how to set an extra password request only for Internet users while the users from Local Network should spare the extra password.
The scenario:
When the user in in the local network the administration part need to be accessible with the CMS default authentication, while if the user access the Administration from Internet, an extra password prompt will be shown.
1. Create your password file
New password:
Re-type new password:
Adding password for user user
If you writing in an existing file don’t use the option -c
2. Setting the .htaccess
Depending of the server set up you can do this in your httpd.conf, or in apache2 style – in sites-available directory. So, let’s say we have a file in /etc/apache/sites-available called site.com which holds the record of the domain
ServerAdmin email@site.com
ServerName site.com
...
<Location /admin>
AuthType Basic
AuthName intranet
Satisfy any
Allow from 192.168
Order allow,deny
AuthUserFile /your_secret_location/.htpasswd
Require valid-user
</Location>
...
</VirtualHost>
Here is the tricky part: The directive “Satisfy any”. By default the directive is set to all so it’s like AND:
If (you are in local net AND you are valid user) {access the location}
while Satisfy any is like OR
If (you are in local net OR you are valid user) {access the location}
More on this topic: Satisfy directive
This info is useful for me, thanks dude.
Thank for the information. May be after this i will make more security at my web/blog