How to Password Protect a Directory on Your Website

Only allow certain users or members to access portions of your site


How to Password Protect a Directory on Your Website

by Christopher Heng, thesitewizard.com

Password protecting a directory on your site is actually fairly easy. Webmasters typically want to protect a directory if they have information that they want to make available only to a selected number of people. This guide teaches how you can make a folder on your website accessible only to people with the appropriate password.

If Your Web Host Has a Control Panel

Before you dive into the task of manually password-protecting a directory using Apache's built-in facilities, you might want to check out your web host's control panel to see if they already provide the facility for protecting directories. In my experience, many commercial web hosts already provide an easy way for you to password-protect your directories. If such facility is already available, it's probably best to use it since it will save you time, particularly if you are not familiar with shell command lines and editing of .htaccess files.

Otherwise, read on.

System Requirements

You will need the following before your attempt to password-protect anything is successful.

  1. Your website must be running on an Apache web server.

  2. Your web host must have enabled .htaccess processing — that is, they allow you to customize your web server environment using localized configuration files called .htaccess files.

  3. You must have shell access, either via telnet or Secure Shell (SSH). You should also know how to use telnet or SSH to connect to your web hosting account.

Steps to Protecting a Directory with a Password Using .htaccess on Apache

  1. Create a .htaccess file

    Use a plain text editor (eg an ASCII text editor) like Notepad to create a text file with the following contents:

    AuthName "Members Area"
    AuthType Basic
    AuthUserFile /path/to/your/directory/.htpasswd
    require valid-user

    Note that you will have to modify the above according to your situation. In particular, change:

    1. AuthName

      Change "Members Area" to any name that you like. This name will be displayed when the browser prompts for a password.

    2. AuthType

      You do not have to modify this line. Just copy it verbatim to your file.

    3. AuthUserFile

      You will later create a file containing passwords named .htpasswd. The "AuthUserFile" line tells the Apache web server where it can locate this password file.

      Ideally, the password file should be placed outside any directory accessible by visitors to your website. For example, if the main page of your web site is physically located in "/home/your-account-name/public-html/", place your .htpasswd file in (say) /home/your-account-name/.htpasswd. That way, on the off-chance that your host misconfigures your server, your visitors cannot view the .htpasswd contents by simply typing http://www.example.com/.htpasswd.

      Wherever you decide to place the file, put the full path of that file after "AuthUserFile". For example, if the directory where you placed the file is /home/your-account-name/.htpasswd, modify that line to "AuthUserFile /home/your-account-name/.htpasswd". Note that your password file need not be named .htpasswd either. It can be any name you wish. For ease of reference, however, this tutorial will assume that you chose ".htpasswd".

    4. require

      The line "require valid-user" means that any user specified in your .htpasswd (ie, password) file will be able to access that directory. (You will be creating the password file later in this article.)

      If your password file contains many users, but you only want a specific user to be able to access this directory, change the "require valid-user" to:

      require user sally

      You should of course replace sally with the user name of the person to whom you want to give access. You can even add multiple names to that line:

      require user sally mary bill tom

      In the above case, the four users listed after require user will be allowed access to that directory. Notice that even when you list multiple names, the directive to use is require user. Do not use the plural form of user.

  2. Save and Upload the .htaccess file

    Save the .htaccess file. If you are using Notepad, be sure to save the file as ".htaccess", including the quotes, otherwise Notepad will change the name to ".htaccess.txt" behind your back. Then upload the .htaccess file to the directory that you want to protect.

  3. Set Up the Password File, .htpasswd

    Use your telnet or SSH software and log into your shell account.

    Be sure that you are in your home directory, not somewhere else. Note that your web directory is probably not your home directory on most commercial web hosts. On servers that use a Unix-type system (like Linux, FreeBSD and OpenBSD), you can usually go to your home directory by simply typing "cd" (without the quotes) followed by the ENTER key (or RETURN key on a Mac). This, by default, will switch you to your home directory. (Note for Windows users: this is different from the Windows/DOS shell, where "cd" only displays the current working directory.)

    Then, type the following command:

    htpasswd -c .htpasswd your-user-name

    where your-user-name is the login name of the user you want to give access. The user name should be a single word without any intervening spaces. You will then be prompted to enter the password for that user. When this is done, the htpasswd utility creates a file called .htpasswd in your current directory (home directory). You can move the file to its final location later, according to where you set the AuthUserFile location in .htaccess.

    If you have more than one user, you should create passwords for them as well, but using the following command for each subsequent user:

    htpasswd .htpasswd another-user-name

    Notice that this time, we did not use the "-c" option. When the "-c" option is not present, htpasswd will look for an existing file by the name given (.htpasswd in our case), and append the new user's password to that file. If you use "-c" for your second user, you will wipe out the first user's entry since htpasswd takes "-c" to mean create a new file, overwriting the existing file if present.

    If you are curious about the contents of the file, you can take a look using the following command:

    cat .htpasswd

    Since the .htpasswd file is a plain text file, with a series of user name and encrypted password pairs, you might see something like the following:

    sally:abcdefgHijK12
    mary:34567890LMNop

    This file has two users "sally" and "mary". The passwords you see will not be the same as the one you typed, since they are encrypted.

    Before you quit, you should make sure that permissions on the file are acceptable. To check the permissions, simply type the following on the shell command line:

    ls -al .htpasswd

    If you see the file with a listing like:

    -rw-rw-rw- (...etc...) .htpasswd

    it means that the .htpasswd can be read and written by everyone who has an account on the same server as you. The first "rw" means that the owner of the file (you) can read it and write to it. The next "rw" means everyone in the same group as you can read and write the file. The third "rw" means that everyone with an account on that machine can read and write the file.

    You don't want anyone else to be able to write to the file except you, since they can then add themselves as a user with a password of their own choosing or other nefarious stuff. To remove the write permission from everyone except you, do this from the shell command line:

    chmod 644 .htpasswd

    This allows the file to be read and written by you, and only read by others. Depending on how your server is set up, it is probably too risky to change the permissions to prevent others from your group or the world from reading it, since if you do so, the Apache web server will probably not be able to read it either. In any case, the passwords are encrypted, so a cursory glance at the file will hopefully not give away the passwords.

    If you have set a different directory for your password file in your .htaccess earlier, you will need to move it there. You can do this from the shell command line as follows:

    mv .htpasswd /final/location/of/the/file

    Remember that your file does not even have to be called .htpasswd. You can name it anything you like. However, if you do, make sure that your AuthUserFile has the same directory and filename or Apache will not be able to locate it.

Testing Your Setup

Once you have completed the above, you should test your set up using your browser to make sure that everything works as intended. Upload a simple index.html file into your protected directory and use your web browser to view it. You should be greeted with a prompt for your user name and password. If you have set everything up correctly, when you enter that information, you should be able to view the index.html file, and indeed any other file in that directory.

A Word of Caution

You should note a few things though, before you go berserk password protecting directories and harbouring ("harboring" in US English) the illusion that they can safeguard your data:

  1. The password protection only guards access through the web. You can still freely access your directories from your shell account. So can others on that server, depending on how the permissions are set up in the directories.

  2. It protects directories and not files. Once a user is authenticated for that folder, he/she can view any file in that directory and its descendants.

  3. Passwords and user names are transmitted in the clear by the browser, and so are vulnerable to being intercepted by others. To address this problem, you should convert your website to use HTTPS.

  4. You should not use this password protection facility for anything serious, like guarding your customer's data, credit card information or any other valuable information. It is basically only good for things like keeping out search engine bots and casual visitors. Remember, your data isn't even encrypted in the directory with this method.

Congratulations

Congratulations. You have now successfully password-protected a directory on your website.

Copyright © 2007-2018 by Christopher Heng. All rights reserved.
Get more free tips and articles like this, on web design, promotion, revenue and scripting, from https://www.thesitewizard.com/.

thesitewizard™ News Feed (RSS Site Feed)  Subscribe to thesitewizard.com newsfeed

Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at https://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.

Please Do Not Reprint This Article

This article is copyrighted. Please do not reproduce or distribute this article in whole or part, in any form.

Related Articles

New Articles

Popular Articles

How to Link to This Page

It will appear on your page as:

How to Password Protect a Directory on Your Website





Home
Donate
Contact
Link to Us
No Spam Policy
Privacy Policy
Topics
Site Map

Getting Started
Web Design
Search Engines
Revenue Making
Domains
Web Hosting
Blogging
JavaScripts
PHP
Perl / CGI
HTML
CSS
.htaccess / Apache
Newsletters
General
Seasonal
Reviews
FAQs
Wizards

 

 
Free webmasters and programmers resources, scripts and tutorials
 
HowtoHaven.com: Free How-To Guides
 
Site Design Tips at thesitewizard.com
Find this site useful?
Please link to us.