Hi all, this is my first post on this forum so I hope I'm putting this question in the right place. Be gentle with me.
I admit that while I'm an experienced designer, I'm not a very advanced developer. Usually I know everything I'd NEED to know to get sites built, tested, uploaded and maintained. But I've just run into a situation I've never encountered before and it makes no sense to me, so I'm wondering if this is just a specific problem with the host server setup or whether I'll encounter the same problem even if I switch hosting companies. Please help...
I have an existing site for a charity, and the site resides on a subdirectory of a larger charity. Recently I've spent a lot of time revamping the site and building in a custom content management system to make maintenance (on my part) a lot easier. The site and the CMS are built using PHP/Mysql extensively. I'm ready to take the site live, so the first step is to upload the 'admin' folder with all the CMS files in it onto the server, password protect it, and test it. Here's where the problem lies.
I am able to use .htaccess to password-protect the admin folder, no problem. If you type the URL to the directory itself, a password prompt comes up. But none of the files INSIDE the directory are protected. If you type the full path to any of the files inside the protected directory, it allows you to go right in....no protection, no prompt. This defeats the whole purpose of protecting the directory!
I thought this must be a glitch, so I contacted tech support for the hosting company (GoDaddy, btw) and after two days of support tickets, making their way up the line to their senior techs, this is the response I got:
The password protect feature unfortunately does not work when accessing a php file directly. This is how the server operating system is setup and unfortunately we are unable to update so it works as to your liking. If you put a .html page within it and try to access, you will see it ask for a password. We are unable to make it do the same for a .php file.
So basically they're telling me that my entire CMS can't be secured on their servers. I've never heard of this before in my life... Is it common knowledge that PHP files inside a password-protected directory can't be protected? Is this a weakness in their server setup, or would I likely get this same response elsewhere? What would be the POINT of protecting a directory if the files inside it aren't secure?? There are CMS's all over the web...how do they function if only HTML files can be protected?
Right now I'm at a loss what to do with this. I can build an HTML page for the control panel itself that will prompt the user when they access it...but it makes me cringe to think of all the PHP pages that people would be able to freely access inside that folder. The tech support guy suggested that the files can be 'masked' so they can't be seen, but I have never had to do that before and Googling it hasn't offered me any clues.
Any answers, suggestions, or advice?