This note applies to Apache webserver version 2.2.

Many content management systems suffer from security issues so it a good thing to have several independent security mechanisms to protect websites:

1. Off the shelf authorization and authentication from your content management system. This type of security requires upgrading your website as soon as any security patches are released. Make sure your password can not be hacked with a brute force attack, so it should be long.
2. Protecting the folder of your admin front end with Apache Digest Authentication,
3. Making all communication between the admin frontend and your webserver invisible by encrypting it over ssl. Upload any files with ssh rather than ftp as well.
4. Use the most secure browser to access the admin frontend of your website. Make sure it is up to date. Do not save any passwords inside your browser.

The advantages of Apache Digest authentication is that it is relatively simple and that the password does not travel in plaintext over the web. Follow the steps below to protect the admin frontend of your CMS with Apache Digest Authentication.

Step 1. Check whether your webserver can use the dav and the auth_digest modules. For example on a unix server the following lines should be in your Apache configuration file httpd.conf:

LoadModule auth_digest_module      modules/mod_auth_digest.so
LoadModule dav_module      modules/mod_dav.so

Step 2. Create a password file with the following command:

htdigest -c /var/www/passwd_file "Your website admin frontend" user4DigestAuthentication

The executable htdigest can be found among the Apache webserver executables. Use appropriate values for the arguments of this command. Upon invoking this command it will ask for your password.

Step 3. Add the following to either your virtual host in the Apache virtual host configuration file httpd-vhosts.conf or to the .htaccess file (I did not try this) of the root folder of your website.

<Location /administrator>
    AuthType Digest
    AuthName "Your website admin frontend"
    AuthDigestDomain /administrator
    AuthUserFile /var/www/passwd_file
    Require valid-user
  </Location>

Don't forget to restart your apache webserver if you chose to change the virtual host configuration file.

If you decide to put the configuration in your virtual host file then put the Location tag on the same level as the Directory tag and put the Directory tag before the Location tag.

In the example above we have protected the subdirectory administrator within the website folder. Take care that the value of the field AuthName should be exactly equal to the argument of the htdigest command. Finally, under no circumstances the password file should be in a directory that can be viewed over the internet ! It must be readable for the user under which the webserver is running though. On unix systems this user name is often apache.