Password protecting a directory on your site is actually fairly easy. Webmasters typically want to protect a directory if they have information that they want to make available only to a selected number of people. This guide teaches how you can make a folder on your website accessible only to people with the appropriate password.
Before you dive into the task of manually password-protecting a directory using Apache's built-in facilities, you might want to check out your web host's control panel to see if they already provide the facility for protecting directories. In my experience, many commercial web hosts already provide an easy way for you to password-protect your directories. If such facility is already available, it's probably best to use it since it will save you time, particularly if you are not familiar with shell command lines and editing of .htaccess files.
Otherwise, read on.
You will need the following before your attempt to password-protect anything is successful.
Your website must be running on an Apache web server.
Your web host must have enabled .htaccess processing — that is, they allow you to customize your web server environment using localized configuration files called .htaccess files.
You must have shell access, either via telnet or Secure Shell (SSH). You should also know how to use telnet or SSH to connect to your web hosting account.
Use an ASCII text editor like Notepad to create a text file with the following contents:
Note that you will have to modify the above according to your situation. In particular, change:
Change "Secure Area" to any name that you like. This name will be displayed when the browser prompts for a password. If, for example, that area is to be accessible only to members of your site, you can name it "Members Only" or the like.
You will later create a file containing passwords named
.htpasswd. The "AuthUserFile" line tells the
Apache web server where it can locate this password file.
Ideally, the password file should be placed outside any directory accessible by visitors to your website. For example, if the main page of
your web site is physically located in "
/home/your-account-name/public-html/", place your
.htpasswd file in (say)
/home/your-account-name/.htpasswd. That way, on the
off-chance that your host misconfigures your server, your visitors cannot view the
contents by simply typing
Wherever you decide to place the file, put the full path of that file after "AuthUserFile". For example, if the directory where you
placed the file is
/home/your-account-name/.htpasswd, modify that line to
AuthUserFile /home/your-account-name/.htpasswd". Note that your password
file need not be named
.htpasswd either. It can be any name you wish. For ease of reference,
however, this tutorial will assume that you chose "
You do not have to modify these. Just copy the lines as they are given above.
.htaccess file. If you are using Notepad, be sure to save the file as
including the quotes, otherwise Notepad will change the name to "
.htaccess.txt" behind your back. Then
upload the .htaccess file to the directory that
you want to protect.
Use your telnet or SSH software and log into your shell account.
Be sure that you are in your home directory, not somewhere else. Note that your web directory is probably not your home directory on most commercial web hosts. On servers that use a Unix-type system (like Linux, FreeBSD and OpenBSD), you can usually go to your home directory by simply typing "cd" (without the quotes) followed by the ENTER key (or RETURN key on a Mac). This, by default, will switch you to your home directory. (Note for Windows users: this is different from the Windows/DOS shell, where "cd" only displays the current working directory.)
Then, type the following command:
where your-user-name is the login name of the user you want to give access. The user name should be a single word
without any intervening spaces. You will then be prompted to enter the password for that user. When this is done,
the htpasswd utility creates a file called
.htpasswd in your current directory
(home directory). You can move the file to its final location later, according to where you set the
AuthUserFile location in
If you have more than one user, you should create passwords for them as well, but using the following command for each subsequent user:
Notice that this time, we did not use the "-c" option. When the "-c" option is not present, htpasswd
will look for an existing file by the name given (
.htpasswd in our case), and append the new user's password
to that file. If you use "-c" for your second user, you will wipe out the first user's entry since
htpasswd takes "-c" to mean create a new file, overwriting the existing file if present.
If you are curious about the contents of the file, you can take a look using the following command:
Since the .htpasswd file is a plain text file, with a series of user name and encrypted password pairs, you might see something like the following:
This file has two users "sally" and "mary". The passwords you see will not be the same as the one you typed, since they are encrypted.
Before you quit, you should make sure that permissions on the file are acceptable. To check the permissions, simply type the following on the shell command line:
If you see the file with a listing like:
it means that the
.htpasswd can be read and written by everyone who has an account on the same server as you. The first "rw" means that
the owner of the file (you) can read it and write to it. The next "rw" means everyone in the same group as you can read and write the file.
The third "rw" means that everyone with an account on that machine can read and write the file.
You don't want anyone else to be able to write to the file except you, since they can then add themselves as a user with a password of their own choosing or other nefarious stuff. To remove the write permission from everyone except you, do this from the shell command line:
This allows the file to be read and written by you, and only read by others. Depending on how your server is set up, it is probably too risky to change the permissions to prevent others from your group or the world from reading it, since if you do so, the Apache web server will probably not be able to read it either. In any case, the passwords are encrypted, so a cursory glance at the file will hopefully not give away the passwords.
If you have set a different directory for your password file in your
.htaccess earlier, you will need to move it
there. You can do this from the shell command line as follows:
Remember that your file does not even have to be called
.htpasswd. You can name it anything you like.
However, if you do, make sure that your
AuthUserFile has the same directory and filename or Apache
will not be able to locate it.
Once you have completed the above, you should test your set up using your browser to make sure that everything works as intended. Upload a simple index.html file into your protected directory and use your web browser to view it. You should be greeted with a prompt for your user name and password. If you have set everything up correctly, when you enter that information, you should be able to view the index.html file, and indeed any other file in that directory.
You should note a few things though, before you go berserk password protecting directories and harbouring ("harboring" in US English) the illusion that they can safeguard your data:
The password protection only guards access through the web. You can still freely access your directories from your shell account. So can others on that server, depending on how the permissions are set up in the directories.
It protects directories and not files. Once a user is authenticated for that folder, he/she can view any file in that directory and its descendants.
Passwords and user names are transmitted in the clear by the browser, and so are vulnerable to being intercepted by others.
You should not use this password protection facility for anything serious, like guarding your customer's data, credit card information or any other valuable information. It is basically only good for things like keeping out search engine bots and casual visitors. Remember, your data isn't even encrypted in the directory with this method.
Congratulations. You have now successfully password-protected a directory on your website.
Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at https://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.
This article is copyrighted. Please do not reproduce or distribute this article in whole or part, in any form.
It will appear on your page as: