Sometimes it may be necessary to close/limit access to your store website or your store Admin area for security or development purposes. This can be done using htaccess password protection; more info on this is available in the article Password Protection with htaccess.

If you have read the article, you should already know that the main point here is to create two files called .htaccess and .htpasswd in the directory you want to password protect. The file .htaccess actually closes access to the directory with a form where you need to submit a login/password combination for authentication, whereas the file .htpasswd contains the login/password info that needs to be submitted for authentication.

First, you need to create a .htpasswd file with your login and password; the file content should be like the following:

mylogin:mypassword

where mylogin stands for a login authorized to access this folder and mypassword stands for a password to be used.

Next, to close your whole X-Cart store you need to place a file named .htaccess into your X-Cart store root directory; the file should have the following contents:

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

where /path/to/.htpasswd should be replaced with the full path to your .htpasswd.

If you need to password protect the store Admin area only, the contents of the file .htaccess needs to be as follows:

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
<Files "admin.php">
Require valid-user
</Files>

For X-Cart versions 5.4.0.0 and later it is necessary to allow callbacks from the same domain without authentication. Here is an example for how that can be done:

Require valid-user
Order allow,deny
Allow from <your server's external IP>
Allow from 127.0.0.1
Satisfy any

To find out your server’s external IP, contact your hosting provider support team. As an alternative option, you can obtain the IP by executing the following command on the server (for example, via SSH):

curl ipv4bot.whatismyipaddress.com