Thanks for the response, this was essentially the answer I was looking for. I do have a question though -- what do you mean by "Make sure that the site is NOT available through SSL"? Perhaps I'm missing something but it would seem that if anything, it would be more imperative to ensure that the site is not available without SSL (ie, no way to get in without SSL).
As for robots.txt and security -- hahaha. I would imagine that any would-be hax0r would immediately look at robots.txt to see if anyone was disallowing /admin or /password and then request that very document. Thanks again. > To answer the original question: yes, if the username/password > authentication is done through SSL, you are relatively safe. > Be sure to at > least follow the following steps: > > - Make sure that the site is NOT available through SSL > - Make sure that .htaccess files are non-retrievable (but > still readable > by the webserver though) > - Make sure that the files for usernames+passwords are > located outside the > webroot > - Try to sniff yourself (with tcpdump for example) to be 100% sure
