htaccess password for /includes - yes or no?

**MTD** · 08-08-2010 06:52 PM

I had already read this entire thread before, but I spent a couple hours late last night carefully reading through it again because there's a wealth of information on there. However one thing I didn't see much discussion of was htaccess password protection of the includes (public_html/includes/). On the vBulletin.com forum I saw a couple people say this should be protected to, but most of what I've read lately only talks about doing that with the admincp and modcp.

So is it possible to password protect /includes/ or will that cause problems? If it is possible and recommended, it seems like that might help since some of these attacks are originating at includes/config.php.

**Marco Mamdouh** · 08-08-2010 08:12 PM

So is it possible to password protect /includes/ or will that cause problems? If it is possible and recommended, it seems like that might help since some of these attacks are originating at includes/config.php.

Yes Mike you're correct I'm strongly suggest to protect your includes directory and I've said that in this thread : Easy Security Tips for vBSEO customers

or will that cause problems?

I'm already done that in my own forum since more than 2 years and I didn't see any problem in all of these 2 years, Also vBulletin.com and .org is protect their includes directory
http://www.vbulletin.com/forum/includes/
http://www.vbulletin.org/forum/includes/

I can say yes it will make problem if you protected your clientscript directory with user and password

**MTD** · 08-08-2010 08:19 PM

Originally Posted by Marco Mamdouh

Yes Mike you're correct I'm strongly suggest to protect your includes directory and I've said that in this thread : Easy Security Tips for vBSEO customers

Okay great - then I will add htaccess password protection to /includes.

Are there any other folders that you should also protect? How about /install and /vbseo?

**Marco Mamdouh** · 08-08-2010 08:32 PM

Since vbseo folder has the images of vBSEO, Then it may make a problems I don't suggest to protect it ....
Install folder you can just rename it to any random characters for example "hjh6721gtwq" And if you need it you can rename it again to install

**MTD** · 08-08-2010 11:23 PM

Thanks. One more question- in the thread you linked to with instructions, the htaccess example was:

Code:

AuthUserFile /home/sitename/mypassvault/passwd
AuthName "AdminCP"
AuthType Basic
Require valid-user

Should it also have files access on the bottom, like this?

Code:

AuthUserFile /home/sitename/mypassvault/passwd
AuthName "AdminCP"
AuthType Basic
Require valid-user

<Files ".htaccess">
order allow,deny
deny from all
</Files>

**Marco Mamdouh** · 08-09-2010 08:18 AM

No, you shouldn't add this part in htaccess password protect.

**Taurus MFF** · 08-17-2010 03:49 PM

I've read a few recommendations to completely delete the /install folder. why leave it?

**Marco Mamdouh** · 08-17-2010 03:51 PM

You may need to for maintenance, For example tools.php file need init.php file in install folder.

**Brian Cummiskey** · 08-17-2010 04:08 PM

I suggest deleting it. If you ned it, you can always re- FTP it from your vb download.

**Ceri May** · 08-18-2010 11:04 AM

I concur, it serves a major security risk if found. Even renaming it still leaves it on your server and I highly recommend removing it.

As for .htaccess protection the /vbseo/ folder I wouldn't recommend it however you can protect the /vbseo/includes/ folder with no problem at all.

htaccess password for /includes - yes or no?

LinkBack

Thread Tools

Display

htaccess password for /includes - yes or no?

Similar Threads

Sitemap includes photopost pro?

.htaccess and password protection by cpanel

Posting Permissions