Disable Magento Frontend via htaccess

Some days ago one of our customers approached us with the goal to disable the Magento store frontend for the public and only use the Magento backend for internal use.
Of course this prevents customers from purchasing your products, but in addition also minimizes possible attack vectors for the Magento software.

With the following snippet in the Apache .htaccess file, the frontend will no longer be accessible and return a custom 404 page:

ErrorDocument 404 /closed.html

RewriteEngine on

RewriteCond %{REQUEST_URI} !^/(index.php/)?(admin/)?backend(.*) [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{HTTP_COOKIE} !passthrough=secret;? [NC]
RewriteRule .* - [L,R=404]

In this snippet you have to replace the string “backend” with your Magento admin url and optionally the “secret” with a more complex password.
Afterwards you only have to create the closed.html maintenance page.

As a result the Magento store frontend is no longer available and the maintenance page is shown. If you still need to access the frontend – e.g. to lookup certain values or something like that – you can manually create a cookie with name “passthrough” and value “secret” and the protected frontend will be shown.

For nginx or Caddy webservers the procedure is very similar.

Disable Magento Frontend via htaccess