How to password protect Apache site or folder but still allow some IP ranges

There are cases where you’d want a particular site or subfolder to be easily accessible from specific locations (like the intranet) but apply a minimum protection from public eye for the wide internet.

Apache does support this mixed configuration for its sites through its htaccess functionality.

How to exclude subfolder from password protection with .htaccess

You sometimes need to password protect a folder or an entire account/website from direct access. That’s easily done with the appropriate .htaccess file in the protected folder plus the mandatory .htpasswd file with the correct user and password combination(s).

But what do you do when you want to enable direct access to a subfolder of the protected folder?

Quickly limiting access to php scripts using .htaccess

Sometimes one needs to quickly block access to offending scripts – like for instance when a site has been hacked and malicious files have been uploaded to the account and are used to send out spam emails.

Apache provides a simple way to block out files from being accessible to visitors. And as most intrusions involve directly access hacked php files, the bit below will do wonders at blocking out those direct calls while leaving the main site fully functional (sort of).

Restricting access to hidden site using .htaccess

Just like in real-life construction and rebuilding, you sometimes need to demolish and rebuild an existing website. And you probably want to do this behind a very nice and safe wall.

The wall, in our case, will be a “currently rebuilding. please visit soon” index.html file. If directory index priority is set to html then php, now the index.html file will be our visible website and hide the soon-to-be-demolished php-based website.