XenForo admin area isn’t inside its own directory but is accessible via the admin.php file in the forum’s main directory. So one can’t add htaccess based password protection to a directory but still one can provide an extra layer of security to admin.php with .htaccess.
Protect a Dummy Directory
Log in to CPanel and inside the file manager, browse through the forum directory and create a dummy directory inside the forum directory. It is done to make sure we have the username and password available to protect the admin.php file. If you already have a username and password, you can skip this step.
Now return to the CPanel home and look for Directory Privacy option under the Files option.
Browse to the dummy directory created and protect this directory with a password.
Password Protect the admin area
Go back to the File manager and you will find a .htaccess file created inside the dummy folder. The content of the file will be as follows:
| AuthType Basic | |
| AuthName "XenForo Admin" | |
| AuthUserFile "/home/********/.htpasswds/public_html/dummy/passwd" | |
| require valid-user |
Now open the forum root’s .htaccess file and copy the content from the above .htaccess and wrap it around only for the admin.php file as follows:
| <Files admin.php> | |
| AuthType Basic | |
| AuthName "XenForo Admin" | |
| AuthUserFile "/home/********/.htpasswds/public_html/dummy/passwd" | |
| require valid-user | |
| </Files> |
Save the file and you will have a prompt from Apache when accessing admin area.
Manage access to the XenForo admin by providing them access to the dummy folder. Every user added/modified for the dummy folder will have access to the XenForo admin area.
Tighten the security further for admin.php by allowing access only from the selected IP addresses as follows:
| <Files admin.php> | |
| Order Deny,Allow | |
| Deny from all | |
| Allow from XX.XX.XX.XX | |
| Allow from YY.YY.YY.YY | |
| </Files> |
Place the above code in the forum root’s .htaccess file as a separate block.
Note: If you have a dynamic IP, having an IP based restriction can mean you have to add your IP’s each time you may want to access the admin area or else you may see a server error.