Protection through .htaccess


The following information only applies to sites using the Apache web server or another web server which is compatible with Apache's .htaccess and .htpasswd files.I f you are unsure please ask your host.

You will also need Apache's mod_rewrite to be enabled. On most local servers (e.g. XAMPP, WAMPServer and so on) it is not and enabling the .htaccess file per the instructions below will make Akeeba Solo inaccessible. In this case please consult the support forum of your local server or your host's support on enabling Apache's mod_rewrite.

The information in this page is for advanced users only. If you do not fully grasp the information on this page we advise you to not attempt to follow these instructions. Akeeba Solo will work perfectly well without these advanced features. On the other hand, if you make a mistake following these instructions you might end up bricking your Akeeba Solo installation, so please exercise great caution!

Protection against most common exploits and optimisation of performance

Akeeba Solo, like every other web application (including popular PHP CMS Joomla! and WordPress), can be susceptible to attacks by hackers. Akeeba Solo comes with a way to prevent most of these attacks and, at the same time, optimise the performance of the application. You can do that by copying the htaccess.txt file shipped with Akeeba Solo to a file named .htaccess (that's a dot followed by htaccess).

Please note that the .htaccess file, just like all files whose name starts with a dot, is a hidden file on Mac OS X, Linux, Solaris and all other UNIX-based operating systems. You will need to tell your file manager or FTP programme to display hidden files, otherwise you will not be able to see that file on your server if it's using one of the aforementioned operating systems.

Moreover, please do remember that not all of the options in that file are compatible with all hosts. Some hosts will prevent you from using some of the directives inside this file or even prevent you from using a .htaccess file at all. In these cases you can either try manually editing your .htaccess file, following the instructions in it to disable (or even remove) certain sections or you can simply not use the .htaccess file at all. Using it is strictly optional.

On many servers you might end up with strange issues when when you enable the .htaccess file, e.g. certain features of Akeeba Solo resulting in a 403 Forbidden, 500 Internal Server Error or a blank page. In this case, first edit the .htaccess file, find the line

# RewriteBase /

and change it to

RewriteBase /myfolder

where myfolder is the name of the folder under your web site's root where Akeeba Solo is installed.

Protection against brute force attacks

Akeeba Solo, like all web applications, is potentially susceptible to a brute force attack. This means that a malicious actor will try to guess your username and password. Usually these attacks are automated with purpose-built software called "crack bots" or simply "bots". If they succeed they will be able to take exact copies of your site. You have to protect yourself against this.

The first line of defense is obscurity. Choose a non-obvious username. Usernames like "admin", "god", "super", your first / last name, common first names, your site's domain / name or a combination thereof are the first things an attacker will try. The same goes for password. Ideally, a password should be 14-20 characters long and include lowercase and uppercase letters, numbers and special characters. The rule of thumb is that if you can memorise your password it can be guessed in a brute force attack. The most secure password is one you have to write down and keep safe. We recommend using a password manager (e.g. 1Password, KeePass, LastPass etc).

The drawback of brute force attacks, besides the attacker being able to clone your site if they succeed, is server usage. Even if you are completely paranoid and use extremely unlikely to guess usernames and passwords, the failed login attempts to Akeeba Solo will still consume server resources. Even though Akeeba Solo is extremely lightweight, login attempts do require making extra queries to the database which might end up turning a brute force attack into something that makes your site extremely slow. This affects all PHP applications, including WordPress, Joomla! etc. But unlike these other applications, you can do something to protect Akeeba Solo's login page: adding a server-side login before Akeeba Solo's login page. The way it works is simple:

  • When someone tries to access Akeeba Solo the browser pops up a box asking for a username and password

  • The user enters a username and password which is common for everyone.

  • Then the user sees Akeeba Solo's login page where they enter their personal username and password.

The common username and password requirement is processed directly by the web server and it is VERY fast. When an attacker fails to guess it correctly there is virtually no performance penalty on your server. Moreover, this trick does stall the attacker as they have to guess two username/password pairs. Of course you are advised to use two different username/password pairs! Below we'll see how you can enable this protection on your Akeeba Solo installation.


If you enable this feature and are using the front-end backup feature for CRON job automation you MUST remember to set up this username and password in your CRON job as described in our documentation. Otherwise you will be receiving a 403 Forbidden error message and your backups will not run.

You will need to create two files. The first one is called .htpasswd (a single dot followed by htpasswd) and contains the common username and password which you will be using to see the login page. Its contents are one or more lines which look like this:


that is your username, followed by a semicolon, followed by your password. You must NOT leave any spaces before, after or in between these items. Save this in a plain text file and upload it inside Akeeba Solo's main directory with the name .htpasswd

Then you need to create or edit a .htaccess (a single dot followed by htaccess) file. At the end of this file put the following code:

AuthUserFile /home/youruser/public_html/pathtosolo/.htpasswd
AuthType Basic
AuthName "Site backup"
Require valid-user

where /home/youruser/public_html/pathtosolo is the absolute filesystem path to the directory where Akeeba Solo is installed. Please note that if you do not know this path you can ask your host, they are the only people who can tell you what it is.

For more information on Apache .htaccess / .htpasswd protection you might want to consult this third party site.