Web access protection

Protecting Directories With a Password To password-protect a directory: Go to the Protection section. Click Enable next to the directory you want to secure. Click Add User to create login credentials. Note: Directory protection is recursive - it will apply to all subdirectories as well. As you type your new password, a strength indicator below the field updates in real time. It shows one of four strength levels. You’ll also see tips and requirements in a red tooltip just below the indicator to help you create a stronger password. For guidance, check our articles on: Choosing a password Using the Random password generator To remove protection from a directory, simply delete all the users you’ve added for it. Protecting the WordPress Dashboard (wp-login.php) You can also secure the WordPress login page through the Protection section. The wp-login.php file is the entry point to your WordPress admin area. Adding an extra login layer helps protect against brute-force attacks. If a directory contains a wp-login.php file, it will appear just below the subdirectories. To protect it: Navigate to the WordPress directory. Click on Enable next to wp-login.php. Click Add User to create login credentials. Once protection is enabled, accessing your WordPress dashboard will require two logins: First, the Web Access Protection credentials. Then, your usual WordPress username and password. You can also manage this feature from the WordPress Manager in the Hosting Control Panel. See our article on Improving WordPress security article.

The File listing protection allows you to disable the file listing over the web for directories under your account that do not have index files. If such a directory is accessed in a web browser, the web visitor would normally see the list of the files/directories there. By disabling the directory listing, you would prevent this. To enable the protection, you need to browse to the directory you want to protect at the Web access protection section. You should note that the protection works recursively and will affect all lower-level directories. To apply the protection, you need to click the Toggle button under the File listing column.

Hotlinking is when other websites embed your content (e.g. images, CSS, videos) directly from your server, consuming your bandwidth. The Hotlinking prevention tool in the Protection section > Web Access Protection helps you stop this. To enable hotlinking protection: Navigate to the directory you want to protect. Click on Edit next to the directory in the Hotlinking Prevention column. Click Add next to File extensions not to be hotlinked, and specify file extensions (comma-separated) that should not be hotlinked, such as: gif,jpg,jpeg,png,css,js. Under Allowed domains, add your own domain (and parked domains), or any trusted third-party sites. Be sure to toggle Include all subdomains if needed. Important: If you don't list your own domain(s), your website may not display the protected files correctly. To disable hotlinking protection: Click Disable Hotlinking Prevention or delete all entries from the file extension and allowed domain lists.

You can prevent given IP addresses, networks, or country IP ranges from being able to open your website in a web browser. To enable the protection, you need to browse to the directory you want to protect at the Web access protection section. You should note that the protection works recursively and will affect all lower-level directories. To access the interface for blocking IP addresses/networks, you need to click Manage under Block by IP. Blocking a single IP address To block an IP address: Click Add next to Blocked IP addresses. Type in the IP address. Click Add. The IP address will appear in the Blocked IP addresses section. To remove an IP address from the list, you need to either use the Delete button next to it, or check the box in front of the addresses you want to unblock, and click Delete selected. Blocking a network range If you want to disallow the web access for a whole network, you can use wildcards. For example, if you want to block all IP addresses starting with 123.234, you need to specify: 123.234.*.* This way all IP addresses from this network block (such as 123.234.34.45 for example) will not be able to open your website. Blocking a Country To block a whole country: Click Add next to Blocked countries. Choose a country from the drop-down. Click Add. The country will appear in the Blocked Countries section. To remove a country block you need to either use the Delete button next to it, or check the box in front of the countries you want to unblock, and click Delete selected. The country level IP block uses the GeoIP database of Maxmind through the mod_maxminddb Apache module to determine which addresses belong to a specific country.

You can prevent the visitors of given websites from opening up your website through a link on the offensive website. This feature is commonly used when fighting the so-called "Referral spam". Referral spam is used by websites who make false requests to your website in order to get listed in your web access statistics. This way if your statistics are web-accessible and a search engine processes them, the search engine would mark a link to the offensive website and would raise its ranking. The Block Referrers feature would also prevent the hotlinking of your content by the offensive website. To block a referrer: Click Add new domain. Type in the domain name. Check Include all subdomains if you wish to block all subdomains. Click Add. Afterwards, the blocked domain name will show up in the list of Blocked Domains.