This feature uses .htaccess files which are only compatible with Apache, Litespeed and a very few other web servers. Some servers (such as NginX and IIS) are incompatible with .htaccess files. If we detect a known to be incompatible server type this feature will not be shown at all in Admin Tools' interface. It should be noted that even if you do see it in the interface it doesn't necessarily means that it will work on your server. This depends on your server's capabilities. If you are unsure or believe it doesn't work please consult your host.
administrator directory of your site. It does so by
using Apache .htaccess and .htpasswd files, so it won't work on hosting
which uses IIS or NginX.
Some prepackaged server bundles and some live hosts do not allow
using .htaccess files to password-protect a directory. If it is a
local server, edit your
If you are on a live host, please consult your host about the possibility of them allowing you to use this feature on your site.
There are several password hashing schemes supported by
different versions of Safari. It's possible that if you password
protect your administrator directory on one server and then transfer
your site on a different server you will receive a blank page or an
Internal Server 500 error page when accessing your site's
administrator backend. This is normal and expected. All you have to do
is to remove the
To apply the password protection, enter a desired username and password and click on thebutton. After a few seconds your browser will ask you to supply the username and password you just specified. This will also happen each and every time anybody tries to access the administrator back-end of your site. In other words, you have to share the username and password with all back-end users of your site.
If you wish to remove the password protection you can either
remove both the
.htpasswd files from your administrator directory,
or click on the
There are two more options on this page you should be aware of.
Administrator resources to protect. In the past, the administrator password protection was an all-or-nothing feature. This is no longer the case. This option lets you choose which resources under the administrator directory will be protected with a password. “Joomla” only protects Joomla's index.php (the administrator application entry point). Everything else can be accessed freely, including .php files from third party applications. “All PHP files” protects all PHP files in the administrator folder and its subdirectories. “Everything” works the same as old versions of Admin Tools, disallowing access to any file in the administrator folder and its subdirectories, regardless of its extension.
We recommend using “Everything”. That's the default option and equivalent to how things worked in the past.
In very rare cases, typically third party payment plugins for e-commerce applications, you may need to allow access to arbitrarily named .php files hosted in a directory under your site's administrator folder. This is NOT recommended; using Joomla's com_ajax is the best way for developers to do that. If, however, you do bump into this case you can select the “Joomla” option. This is the least secure option and you may also need to add an exception in the .htaccess Maker page if you are using that feature as well.
Reset custom error pages. This will resets Apache custom error pages for HTTP 401 and 403 to the most minimal built-in error page in Apache. This prevents a 404 Article Not Found error when trying to access the administrator login page after enabling the Administrator Password Protection feature. You are strongly advised to keep this option enabled unless it causes and HTTP 500 Internal Server Error problem.