MyBB Community Forums

Full Version: How can I protect the index.php file?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hello everyone,

Is there a way to protect the index.php file.
I wanne do this to protect my forum for some time for incoming people.
I was think of a special security that you need to give a specific password and then you will get the index.php file?
I've tried already a few things but can't get it working.
I already managed it with some javascript but then I noticed that it doesn't secure very good. Cause when I write the link www.mywebsite.be/forums/index.php (fake website) I get in without it ask me to give a password. But when I go to www.mywebsite.be/forums (fake website) It ask me a password. Because I made a file index.html with that javascript code in it.

I hope there is something else I can use.
I also need to tell you all I'm not that good in MYBB configuration,
so it would be usefull to get also some explanation.

thanks in advance
Geforce
Never try to secure your website on the client-side (javascript). Security issues should be handled on the server-side. Everyone can change the contents on the client-side.

Here's your solution:

Create a .htaccess file in the same folder where index.php is. Put this in the .htaccess file:
Quote:AuthType Basic
AuthName "Password Protected Area"
AuthUserFile \.htpasswd
Require valid-user

Next, in the same folder where you've put .htaccess, create a .htpsswd file and put this in it:
Quote:test:dGRkPurkuWmW2

Now you need to configure your server's config file to let .htaccess override.
If you're using Apache webserver, go to conf -> httpd.conf and search for this:
Quote:<Directory "c:/Apache24/htdocs">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride None

#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
Or something similar. You need to replace AllowOverride None with AllowOverride AuthConfig.
Be 100% sure that the directory has the FULL path to where your index.php file is located. Note that in my case, /htdocs is where I've put my webpage (index.php etc. basically the entire forum software).

In my case it's <Directory "c:/Apache24/htdocs">.
Just make sure the full path is provided here to where your index.php is located.

Now if you did this correctly, the entire folder is password protected. But only that folder!

You provided the username/password in the .htpsswd file.
Username: test
Password: test

The password you provided in the file is an encryption of test.

There are tools on the internet to encrypt your password.

Good luck!