Securing your Mautic installation against unauthorized connections

It is preferable to protect the Mautic login page against unauthorized login attempts, SQL injection attempts or attempts to discover the administrator password using a brute force attack script.

The best way is to use 2nd authentication via an htpasswd file to prevent access to the login page of your Mautic installation.

This tutorial works for apache 2.4

Step 1
Create a .htpasswd file
Following command will creates a new file and stores a record in it for user jerry. The user is prompted for the password. If the file exists and cannot be read, or cannot be written, it is not altered and htpasswd will display a message and return an error status.

# htpasswd -c /etc/apache2/.htpasswd jerry

Step 2
In your VirtualHost from your config file: /etc/apache2/sites-available/mautic.conf

Write this:

	 <Location /s/login>
	 	AuthUserFile /etc/apache2/.htpasswd
	 	AuthName "Username and password required"
	 	AuthType Basic
	 	Require valid-user

The complet version:

<VirtualHost *:443>
	 DocumentRoot /var/www/html/mautic

	 <Location /s/login>
	 	AuthUserFile /etc/apache2/.htpasswd
	 	AuthName "Username and password required"
	 	AuthType Basic
	 	Require valid-user

	 <Directory /var/www/html/mautic/>
		Options +FollowSymlinks
		AllowOverride All
		Require all granted

	 ErrorLog ${APACHE_LOG_DIR}/error.log
	 CustomLog ${APACHE_LOG_DIR}/access.log combined

Step 3
Check your config apache

# apachectl configtest
# Syntax OK

Step 4
Restart apache2

# systemctl restart apache2

1 Like

Another option would be to use Cloudflare’s Access feature located in the Zero Trust panel. Based on the policy you set, it can act as two-factor authentication to lockdown the whole domain or just parts of it like the administrator directory.

I’m wondering ig you tracking works after this.

Yes of course, tracking still works.
The htpasswd simply limits access to the login form accessible at the following address “/s/login”.

Cool, thx!