Password protect the OpenCart admin

The following article will cover a simple security feature of the Apache server - password protected directories and how you can use them in your OpenCart setup.

This method is very useful, because it does not rely on any PHP verification, but it blocks all access to files and folders in the protected folder, until a user is logged in. To add one more layer of security to your OpenCart installation, we are going to protect the admin folder in OpenCart.

In order to protect a folder on your Apache server, you will need to have two files. The .htaccess file, which will prevent the user from accessing the folder, without logging in and the .htpasswd file, which holds the encrypted user passwords. The example we are going to demonstrate is using the default MD5 algorithm encryption - an iterated (1,000 times) MD5 digest of various combinations of a random salt and the password. This is the default since Apache version 2.2.18.

1. Generate a password

We have created this little tool to help you generate your .htaccess and .htpasswd files easily, without having to write any commands in your terminal or command prompt. The tool is located here - https://isenselabs.com/external/htaccess_password/index.php.

Fill in the Username and Password inputs, after that type in the Server Path to the folder. You will have to upload the generated .htpasswd file to that folder on your server. Example: /home/mywebsite/public_html/ or something similar to this.

Click Generate and your .htaccess and .htpasswd will be output in the content sections below the form. For your convenience, you can use the Download Files button, to download a zip containing the two files.

2. Upload the generated files

Now with the files generated the only thing left to do is upload them to your web server. In order to protect a certain directory upload the .htaccess file to that directory and after that upload the .htpasswd to the folder pointed in the Server Path field.

In our case we will have to upload the .htaccess file to the /home/mywebsite/public_html/admin/ directory to protect the OpenCart admin section. Then we will upload the .htpasswd file to /home/mywebsite/public_html/ and we are done!

Now when a user tries to access a resource (file, image, document etc.) located in your admin directory they will see a screen similar to this one, where they have to login.

Thank you for reading!

P.S. You can also rename the OpenCart default admin folder, read how here - https://isenselabs.com/posts/tip-for-making-opencart-more-secure.