Support

Why don't you just use a robots.txt file?

Also, if you want to use the .htaccess trick for restricting access to a site, you can use that code in the .htaccess Maker. Put your code in the "Code to add at the top of the file", since you want to apply the password access control before any other security check. Otherwise, you are right, the code in the .htaccess Maker might end up overriding the password access control, e.g. when trying to access an explicitly allowed media file. There is nothing else which would be in conflict.

Finally, there's the obvious point of avoiding all that using a local development server. It's a bit of a bother to set one up, but it's faster, very reliable, and you don't have to worry about search engines and malicious access while you're in the development phase. You can make mistakes which don't cost you anything more than some of your time.

“Just remember that if you use noindex and robots.txt, you just have no protection at all and your development site content, or at least URLs, can appear in many search engines, including Google. “

This response lacks context. Depending on the context it can be either accurate, or completely off the mark. Also note the link I sent you is Google's own advice on how to use robots.txt, and what it does :)

The robots.txt file tells search engines to NOT crawl your site.

What that file does not do is prevent search engines from following links outside of your site, follow links from other allowed pages on your site, or remove already indexed pages.

In the context of a development site which is not linked to from any external page, is not indexed, and has a robots.txt file telling search engines to not index it the robots.txt file will be enough. In this particular context, the answer your received is wrong. In any other context, the answer you received is correct because of what I said about what robots.txt doesn't do.

Also, my first question has not been answered: If I use an .htpasswd file at the root of the development site for password protection, do I still need AdminTools?

I have a rule of not giving advice I would never follow myself, but you are asking me for exactly that.

I would only ever consider putting a staging site on a live server, and only after setting it to off-line in Global Configuration. This prevents leaking content better than any other possible method, but it also means you can never see the site as a guest.

I would never put a development site on an Internet-accessible server. By their definition, they will have to throw errors during the development process, and the errors do contain privileged information. In the rare cases where I need my dev site to be Internet accessible I use Expose, limiting the amount of time my dev site is accessible to what is absolutely necessary.

So, I will have to give advice I would never follow, for a dev/staging site I would never have in the configuration you are asking me about. The only set of conditions under which I would not totally freak out about you not using a security extension is if I knew that everything is password protected, the server allows you to use passwords over 8 characters long, and you are using a long (24+ characters), randomly generated password consisting of lowercase and uppercase letters, numbers, and punctuation.

You're welcome!