Web access protection

Protecting directories Through the password protection section, you can allow web access to certain parts of your account only to people who have valid login credentials for them. To enable the protection, you need to browse to the directory you want to protect at the Web Access Protection section. You should note that the protection works recursively and will affect all lower-level directories. There are two types of authentication available - plain and digest. The plain method is recommended for sites with SSL certificates, while the digest method is recommended for non-HTTPS sites. Once you select the method, you need to specify the new user at the Add user field, and then you need to specify the password twice at the fields below. The user will be created upon clicking on the Add button. You will notice that there is a password strength indicator below the Password field. It will update in real time as you are entering your new password. There are five distinct levels of password strength: Very Weak, Weak, Fair, Strong, and Very Strong. This will help you select a strong password for the user you are adding. You can find general information on how to choose a strong password and secure it in our Password tips article. If you wish to remove the password protection, you need to delete all the users that are created. Protecting the WordPress Dashboard (wp-login.php files) Besides directories, the Web Access Protection interface allows you to protect wp-login.php files. Wp-login.php is the file that is used to log in to the administrative interface of a WordPress installation. In case of a brute-force attack against your WordPress installation, the additional layer of web access protection for the wp-login.php file might be useful. If a directory contains a wp-login.php file, it will be listed below the subdirectories. To protect the web access to it, you need to click on the Plain or Digest buttons next to it and add a user. When wp-login.php is protected, and you try to log in to the administrative section of your WordPress, first you will have to bypass the web protection with the username/password you created, and after that use your WordPress username/password. You can manage this protection more easily via the hosting Control Panel > WordPress Manager by following the steps listed in our Improving WordPress security article.

The File listing protection allows you to disable the file listing over the web for directories under your account that do not have index files. If such a directory is accessed in a web browser, the web visitor would normally see the list of the files/directories there. By disabling the directory listing, you would prevent this. To enable the protection, you need to browse to the directory you want to protect at the Web access protection section. You should note that the protection works recursively and will affect all lower-level directories. To apply the protection, you need to click the Disable button under the File listing column.

Hotlinking is the inclusion of content (usually images or videos) directly from one site into another. This way the offending site generates data traffic for the original site by loading the content from there each time. If you wish to prevent hotlinking of your content, you can use the Hotlinking prevention tool of the Web access protection section of your Control Panel. To enable the protection, you need to browse to the directory you want to protect at the Web access protection section. You should note that the protection works recursively and will affect all lower-level directories. Under File extension(s), you need to list the file types you want to enable protection for. The most commonly hotlinked file types are entered by default. Under Add domains that are allowed to link to files from the hotlinking prevention list, you need to make sure to list your own domain and any parked domain names you have. Otherwise, your own site will not be allowed to display the files as well. If there are any third-party sites which you want to allow to hotlink your content, you need to list them too. The Include all subdomains option must be checked if you want to allow inclusion from all subdomains at the domain name you are allowing access for. To remove the hotlinking protection, you need to delete the whole list of file extensions you have created.

You can prevent given IP addresses, networks, or country IP ranges from being able to open your website in a web browser. To enable the protection, you need to browse to the directory you want to protect at the Web access protection section. You should note that the protection works recursively and will affect all lower-level directories. To access the interface for blocking IP addresses/networks, you need to click the Add/Remove button under Block by IP. Blocking a single IP addresss To block a given IP address, you need to enter it at the interface that follows and click the Add button. The IP address will appear in the Blocked IP addresses section. To remove an IP address from the list, you need to either use the Delete button next to it, or check the box in front of the addresses you want to unblock, and use the Delete selected button. Blocking a network range If you want to disallow the web access for a whole network, you can use wildcards. For example, if you want to block all IP addresses starting with 123.234, you need to specify: 123.234.*.* This way all IP addresses from this network block (such as 123.234.34.45 for example) will not be able to open your website. Country level IP block You can block all IP addresses belonging to a specific country from accessing your website. You just need to choose the country, the IP ranges of which you want to block, and click on the Add button below the section. The country will appear in the Blocked countries list. You can add more countries to the list by following the same procedure. To remove a country from the list, you can either use the Delete button next to it in the list, or check several countries from the list, and use the Delete selected button. The country level IP block uses the GeoIP database of Maxmind through the mod_maxminddb Apache module to determine which addresses belong to a specific country.

You can prevent the visitors of given websites from opening up your website through a link on the offensive website. This feature is commonly used when fighting the so-called "Referral spam". Referral spam is used by websites who make false requests to your website in order to get listed in your web access statistics. This way if your statistics are web-accessible and a search engine processes them, the search engine would mark a link to the offensive website and would raise its ranking. The Block Referrers feature would also prevent the hotlinking of your content by the offensive website. To enable the protection, you need to browse to the directory you want to protect at the Web access protection section. You should note that the protection works recursively and will affect all lower-level directories. To access the interface for blocking IP addresses/networks, you need to click the Add/Remove button under Block Referrers. At the interface that follows, you need to list the domains you want to block. The Include all subdomains option must be checked if you want to block all subdomains at the offensive domain as well.