How to Password Protect Access to Your X-Cart

Learn how to limit access to your store using htaccess password protection.

Olga Tereshina avatar
Written by Olga Tereshina
Updated over a week ago

Sometimes it may be necessary to close/limit access to your store website or your store Admin area for security or development purposes. You can do it using the .htaccess password protection; more info on this is available in Password Protection with htaccess.

If you have read the article, you should know that the main point here is to create two files called .htaccess and .htpasswd in the directory you want to password-protect. The .htaccess file closes access to the directory with a form to submit a login/password combination for authentication. In contrast, the file .htpasswd contains the login/password info that needs to be submitted for authentication.

First, you need to create a .htpasswd file with your login and password; the file content should be like the following:

mylogin:mypassword

Where mylogin stands for a login authorized to access this folder, and mypassword stands for a password to be used.

Next, to close your whole X-Cart store, you need to place a file named .htaccess into your X-Cart store root directory; the file should have the following contents:

AuthType Basic 
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

Where you should replace /path/to/.htpasswd with the full path to your .htpasswd.

If you need to protect the store Admin area only, the contents of the .htaccess file need to be as follows:

AuthType Basic 
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd

<Files "admin.php">
Require valid-user
</Files>

For X-Cart versions 5.4.0.0 and later, it is necessary to allow callbacks from the same domain without authentication. Here is an example of how you can do that:

Require valid-user 
Order allow,deny
Allow from <your server's external IP>
Allow from 127.0.0.1
Satisfy any

Contact your hosting provider support team to find out your server’s external IP. As an alternative option, you can obtain the IP by executing the following command on the server (for example, via SSH):

curl ipv4bot.whatismyipaddress.com

Related pages:

Did this answer your question?