Turns out htpasswd limits passwords to 8 characters in length by default prior to Apache HTTPd v2.2.18. I run CentOS 5 with HTTPd v2.2.3. I don’t rely on .htaccess password access for anything serious but I do use it as an https ‘front door’ for one of my addresses which does have its own properly secured password access. I’ve been running it like this for years and I was sure something funny was going on entering the username/password combo in there. I swore I was noticing incorrect passwords getting through. Today I decided to test it out thoroughly.
Word to the wise: If you’re getting comment spam try Wordpress’ IP blacklist feature but, when that doesn’t work, try the guaranteed way: .htaccess.
Update 2011-04-03: Reformatted .htaccess config lines now that I know how to do better formatting.
I get a lot of spam on this blog, mainly to one post that got a lot of links. Akismet is great at detecting this spam and not publishing the comment. But it gets tiring removing comments from the same IPs all the time. So, I tried WordPress’ IP blacklist feature but it didn’t work. For some reason I totally forgot about .htaccess. It’s the fail safe mechanism for protecting your site against IPs that abuse your blog.
Just put a file named .htaccess in your blog directory if you’re running apache. If you’re running some other httpd server, sorry you’ll have to find another way. But, if you can do .htaccess you can do this:
deny from 184.108.40.206
deny from 220.127.116.11
deny from ...
allow from all
You can put as many “deny from 18.104.22.168” lines as you like.