MakeStaticSite

Access Restrictions

The construction of a site in a CMS requires a user account with certain privileges. In other words, the CMS imposes access restrictions on creating and developing content. They also help ensure that certain content is not available to the public, which, in the case of a static alternative, is effectively the entire CMS. If you are developing the site on your laptop, say, then you might rely on the fact that your computer is effectively hidden through your router’s firewall, but if you are with a hosting provider, then you will need to specify some restrictions.

We illustrate how to set up access restrictions with particular reference to WordPress and cPanel (link provided for information purposes — you won’t need to download cPanel). In this scenario, you set up a WordPress site using cPanel in the standard way (as shown in a wpbeginner tutorial). The main additional requirement is to restrict access and then, depending on the method chosen, when you run MakeStaticSite, you will need to instruct Wget to use the credentials accordingly. Two methods are described below.

N.B. The second method is considerably more involved and has only been tested with WordPress.

Method 1: Directory Privacy

A basic method is to set up what is referred to as directory privacy. This means that when users try to access the website with a browser, they will be challenged to enter a username and password and/or access will be granted dependent on the Internet (IP) address of their machine. This uses a .htaccess file to specify a username and password or IP address needed to access the directory containing your website. This can be created manually, but it is easier to do this visually in cPanel.

  1. Log in to your host provider’s cPanel
  2. From the dashboard’s Files section, select Directory Privacy. This will open a page with a table of folders.
  3. In the column labelled ‘Current Directory’, navigate to the folder containing your website. Then click the [Edit] button.
  4. In the ‘Set Permissions’ page, check the box for ‘Password protect this directory’ and enter a name for the protected directory. Click on [Save] and the protection mechanism will be installed.
  5. Click on the Go Back link to return to the permissions page.
  6. Under ‘Create User’ enter a username and password. Then [Save].

(More details on this method.)

Then, in the MakeStaticSite configuration, which we will describe later, include the string --user user --password pass in the wget_options parameter, providing your username and password for user and pass respectively.

A separate username and password can be created for each member of the team. It’s a rudimentary method that requires people (or browser) to remember another username/password pair, but it has the advantage of avoiding any processing in web applications.

Method 2: CMS-restricted Access

The second method is to configure the web application (which we refer to as a CMS for sake of convenience) to restrict access analogous to the first method, but here the CMS manages the access, not the Web server. This method is generally more flexible than the first as you can tailor the Web output depending on which user account is being used. For the usual case of creating a public snapshot, the user account should be chosen to have minimal privileges. Typically, we may create a guest account for this purpose.

Apart from creating and setting privileges for the account, the CMS needs to be configured to only allow access to those with valid credentials and/or IP address. For WordPress, this may be achieved using a plugin such as Restricted Site Access. From the Dashboard, select ‘Settings’ followed by ‘Reading’, then as soon as you activate the plugin, access is restricted to account holders and those accessing from designated IPs. To enable access by IP address, in the Reading settings, navigate to the Restricted Site Access section and for ‘Unrestricted IP addresses’ enter the IP address(es) of the machine(s) from where you will be running MakeStaticSite (the button [Add my current IP address] is handy here). Then click on the [Save] button. Note that if your machine is allocated its IP address through DHCP, then you will have to change the setting in the dashboard accordingly.

There is one further prerequisite for WordPress and perhaps other CMS. By default, WordPress includes the Admin bar for logged-in users. This can be disabled for any user using the Dashboard. Simply select Users -> All Users -> and click on the Edit link. Then uncheck the box marked ‘Show toolbar when viewing site’.

Credentials Management

Access to the CMS depends on credentials, which need to be accessible to MakeStaticSite to instantiate Wget username and password fields in HTTP requests. Whilst it is possible to simply enter the username and password fields in the .cfg configuration file, the exposure of the password in plain text in a file that might be circulated is deprecated.

Instead it is recommended that during setup you use pass to encrypt and store the password. For this, you first need to specify credentials_storage_mode=encrypt. Then configure the home of the credentials store, credentials_home and within that a particular namespace, through the option credentials_storage_namespace. By default it is set to MSS as MakeStaticSite-specific directory.

The .cfg file will save only the username and then during a run of makestaticsite.sh, the password will be read from the store using the command: pass show credentials_insert_path. This is then stored temporarily in a ‘run commands’ file which acts as a temporary storage of credentials accessible to Wget, avoiding the need to explicitly populate a password parameter. Having authenticated, it will crawl a site using session cookies, in the same way as a desktop web browser.

A list of the relevant options:

credentials_rc_file
Default: .netrc
‘Run commands’ file for (temporary) storage of credentials — either .wgetrc or .netrc
credentials_cleanup*
Default: yes
Delete references to credentials in temp files and .rc file on completion of run (y/n)?
credentials_manage_cmd
Default: pass
Path to binary for managing (and encrypting) credentials.
credentials_storage_namespace
Default: MSS
MakeStaticSite-specific directory for storing credentials (usernames, passwords, tokens, etc.).
credentials_storage_mode
Default: plain
How to store credentials: config to store in the configuration file, as-is; plain to store separately, as-is, in plain text; encrypt to store separately and encrypt.
credentials_extension
Default: gpg
Encryption file type extension.
credentials_home
Default: "$HOME/.password-store"
Password-designated directory under which credentials are stored.

This page was published on 22 November 2022 and last updated on 6 April 2025.