Before upgrading to WAM, I've was using htaccess manually and doing two things I don't know how to do in WAM:

1. Rename the dot htpasswd file.
2. FTP dot htpasswd file to the directory above the root so that it is not accessible on the web.

Even though my service provider's Apache server will not allow a browser to see hidden files on the root by default, as WAM stores them on the domain root, I heard that they can be FTP if my domain is hacked, and am thus concerned.

If I manually did 1. and 2. and edited the AuthUserFile URL in the dot htaccess files, is there a way I could still let WAM work?

I don't have a server to test with right now.. but I think.
During ftp setup, you can use the 'autodetect' server root and then edit the path. I think that creates the path to the password file in the htaccess file.
..did i say that right..
someone shoot me down -or- back me up on this one.. I can set up a fake test if needed.

#### CC BEGIN WEBSITE ACCESS MANAGER ####

# Directory Listing
Options +Indexes
AuthUserFile /home/users/web/b5558/ascb.shrn55uff/.htpasswd
AuthName "Members Only"
AuthType Basic

but, yes you could edit the files and it should work fine, but then you have to do it each time you change something.

When you setup the WAM program to a site it will automatically setup the htaccess files you need to use for the files you set it up for. It's not accessible if that's what you're worried about. What would be the point to having this setup if it wasn't secure? No worries, if you set it up correctly right within the program, it will upload the necessary files to the correct location(s) and the site folder(s) and/or page(s) that you have chosen to be protected will be safe.

There's a test site setup if you check the WAM forum threads you'll find it pretty easily I think. Shows you how it works, but if you've been working with htaccess files already then you already know what to expect so it shouldn't be too difficult for you to figure out.

I see that as a 'part' back me up.. yes, if you edit them manually it will work fine.

but if the program server path setting would do it partially for directory path and just leave the htpasswd name the same.

It probably would then upload both files to the non-www directory,, if so, just move the htaccess file to the www directory. That way the file path would be set in the htaccess.. no editing, just a file move

Hi Dave & Jo-Ann,

Thanks for your good suggestions. I've tried editing the path as suggested, but my edits are not permanent. On the menu, under Tools>FTP Settings, I first entered all the details required. Then I clicked the Browse button, and selected to top root (in my case) in the window that opens which shows all the folders on my domain, and it closes again. However I noticed that "/web" shows as selected. "/web" is part of Apache's directory listing and is not part of a URL. It seems to be used 'internally' by the host and I can't remove or edit it. It is also automatically found by WAM.

When I clicked the pull down Advanced link below, the server root field Dave referred to with the Auto-Detect button is visible. I can edit and remove "/web" in the field there, but if I click Auto-Detect it puts "/web" right back. If I remove "/web" and click OK without clicking Auto-Detect, the FTP window closes and WAM starts re-retrieving my directory (I've set the options to open the last database). After retrieving the directory, I'm back at square one because "/web" is there again.

Jo-Ann, Thanks for assuring me it is not accessible. I tried your test site before posting and it worked fine. Do you by any chance know why it has been the practice to save the dot htpasswd file above the root? I guess there is no need to rename the file as well.

Hiya Rob,

I'm going to take a "guess" at this answer, but I am not fully sure on the path and why it sets it at the root of the site. I'm guessing mostly because that's usually the deepest directory many people have access to on their websites and servers. If you have your own server you'll have access to deeper areas, but many only have access to their own domain area and those things within it. Putting the files deeper than that would in a sense put them out of the persons access to do anything with them.

Just a guess that is, so hopefully someone else has a better idea on that information.