Firewall vs. custom PHP to protect sensitive dirs


I have subdirs on one of my sites where I keep sensitive info for downloading purposes (for instance, solutions for clients) and the other day I saw an authorized page render come through. these subdirs are currently PW protected using a godaddy cPanel tool, but everyone knows that hosting companies know nothing about anything. they are pushing the concept of a firewall to get rid of this activity, and they say it will filter IPs so certain countries or regions can be blocked out. and of course, it is a paid-for service. but I know good and well I can do it for free using other methods. heck, I could write a simple query and only allow IP addresses from the client’s country and city if I wanted to. Just not render anything to the page unless it is them.

I got this knowledge from @astonecipher a long time ago:

either that, or this one:

my question is…will this keep unauthorized people out for sure? and how much risk is there? obviously I can’t have proprietary info in a subdir, available for client downloading in the form of a ZIP if bots or other large companies running automation specifically for the purposes of spying in a desperate attempt to find out what others are up to and copy them to keep their profits going, if nothing works.

Can someone shed some light on this? I can do a few workarounds, as I’ve done it for decades, but that takes too much time. thanks. see image below and subsequent links for the occurence that got around Godaddy’s canned software security:

TIME WARNER CABLE IP ADDRESSES that accessed the page:

Security is subjective; it kinda depends on how dangerous you personally view a breach. From what you’ve said these auth methods should be good enough, AS LONG AS YOU ALSO USE SSL. If you don’t then the username and password will be sent “in the clear” and attackers may be able to read them.

I believe you. thanks for the response. but I assume by you saying: these auth methods, you are referring to the 2 links I posted that cover HTTP basic authentication, one given to me by @astonecipher?


That’s right. Just make sure your website is delivered over HTTPS; do not allow access to the page using standard HTTP.

should I even be worried about that, or is that even my job to check, if I already have an SSL cert applied to the site anyway?

Having an SSL cert just means people can access your site using HTTPS, but you may find that still works. It’s up to the server configuration to make sure that people must use HTTPS.

that is not an issue, skawid, because all of the redirect XML-oriented code is in the .htaccess files. I have tested every possibility, and all of the possibles automatically re-route to:

that’s what you were referring to, right?

That’s right. It sounds like you’ve covered all the bases.

yeah I think pretty much. I mean, everytime I call a corporation I have to tell the level 1,2, and 3 agents that they are not privey to the knowledge that is necessary to answer my questions. some like hearing that and comply with putting me through, some don’t. some literally will ask me 50 million questions because they think they know it all, and are ticked off that they are not smart enough to get promoted. LOL. oh well! =) thanks for the help. this issue is now closed.

Sponsor our Newsletter | Privacy Policy | Terms of Service