I’m using Dreamhost’s htaccess to password protect a member’s area of my newly launched graphics website. It’s the first time I’ve ever used htacess. Today, I noticed from my stats that over 6000 of my graphics on the paid members side had been downloaded (only 300 HTML files), but I don’t have any members yet that could have downloaded the files. I’m worried that someone may have attempted to download my entire website with a website grabber program or cracked into my htaccess protected directory.
My question is: can people snatch the files in a htaccess protected directory with a website grabber program? And is it very easy to crack into a htaccess protected directory?
What can I do to ensure greater protection (I’m not a programmer.) of this directory?
You’ll need to have someone look at the web server log files in addition to the content of your .htaccess files - have you ruled yourself out, for instance?
Yes, people can use programs to snatch password-protected files. All they need to know is the username and password. A browser is just another type of ‘website grabber’ after all. Technically speaking, browsers and ‘website grabbers’ and other programs that speak HTTP to download stuff are ‘web clients’ and it easy for a web client to support the HTTP Basic authentication method used to provide the password protection.
As for as how easy it is to crack and password-protected directory: well, that depends on a lot of things. A brute-force or a ‘guess the password’ attack would be very obvious in the logs; you should see dozens if not hundreds or more of 401 errors. However that might not be noticable if you have used an ‘obvious’ username and password (like ‘admin’ for both), or the guesses are spread out over time. Then again, someone could have been snooping (comprimised your network connection or e-mail, etc) to get the username and password rather than trying to pick the lock.
To ensure greater protection? As for as preventing unauthorized access, do not put them on the web to begin with, or use public key cryptography. Or at least ask someone with experience to help you with the ‘programming’ part of running your site.