I've been thinking about password protecting my MT weblog and was just wondering what the easiest and most secure option would be for that, especially if my MT files reside in my cgi-bin? (Note: My host does provide password protection through the server's control panel)

I have the same question... I want to password protect my url and i'd like to approve requests before they can view the site. Is something like this possible? It doesn't seem i can password protect the root in my cpanel.

You can use .htaccess to password protect and it is probably one of the harder methods to crack. The .htacess file also affects any directory underneath it. There are methods with PHP and other scripting languages as well.

If you wanted to approve users, you could just have them e-mail you before you will give them the username/password.

I wouldn't recommend password-protecting the root directory of your site. If you did, then anyone accessing your domain would have to login. A better solution might be to make a subdirectory or subdomain and password protect that. In your root directory, have just one file (index.html or equivalent) to tell the visitors that they must be authorized to access the site.

Just my thoughts. Does that help?

Edit: It is possible to protect the root through the version of cPanel that I have (6.0 I think). I chose "Pass Protect Folders" under "Manage" and I am presented with a list of directories.

I want anybody viewing my domain to login - because my blog is at the root of my site. The cpanel I have will not let me password protect the root and I would like the ability for users to lookup their password on their own if they lose it. I do want to authenticate anybody who uses the site.
I'm looking at this - http://www.eastwright.com/internet/register/
but it seems a little scary and intimidating. I'm interested to see if anybody else who has password protected their site has any suggestions and if MT has any plans on building this feature into it's next release.

Try for a method using .htaccess. It's not hard to do. There are currently some sites using MT that password protect them. That example just so happens to be using the RegisterMe! software you linked to.

Edit: Here are a couple more related links, both from DevArticles...
-
- Creating a Secure PHP Login Script

hi.. i was wondering if there's a way in mt that you can set certain entries as private, and can only be viewed by typing in a password.

i've seen blogs like those, but i didn't check if they're mt-powered or not.

That sounds like a job for the scriptygoddess restricted post hack.

http://www.scriptygoddess.com/archives/000916.php
http://www.scriptygoddess.com/archives/000934.php

Does that help?

The problem with your host not allowing you to password protect the root means you'll just have to move the page into a subdirectory and use htaccess. You could then set up a meta tag redirect to instantly take anyone who went to your url to the page in the subdirectory (i.e they wouldn't have to click anything).

But if you want the user to be able to get their password if they forget, I think you'll have to use php. Are you using a mysql database for your blog? If so, I can provide you php code for the signup, login, and password reminder functions.

-Slim

Slim: would you mind sharing that code you were talking about? I'm interested to take a look.

Thanks.

I have implemented How to make restricted access posts on your site however in PAGE ONE of the FORM EMAIL INSTRUCTIONS where it says I keep getting an error so I have removed this code for now. Near the end of this code where it says I was just wondering if I have to change that in any way and if so, could you give me an example of how it should look.

Now what if you want to protect just the MT login screen?

I tried to turn on a directory password protection from my host, and while this did create a second password layer to get to the MT login screen, it also made anything running a MT script (Search for example) require a password also.

I am trying to do this as I see way too many login attempts when looking at my log files than there should be. As in a dozen a day when I am the only admin of my blog,a nd I do not want to find my blog hijacked by a hacker.

Wayan

wayan, you can move your mt.cgi file into a subdirectory of your main MT directory and password protect the new subdirectory only.

Example:

/mt/
mt-comments.cgi
mt-tb.cgi
mt-send-entry.cgi
mt-view.cgi
...etc...

/mt/admin/
mt.cgi

And then you can password protect /mt/admin/ using .htaccess. You also need to add the AdminCGIPath to mt.cfg so MT knows the new location of mt.cgi.