Password Protect a Website or Web Directory With .htaccess File
In this tutorial of .htaccess file configuration we will discuss how to Password Protect a Website using .htaccess file configuration. But before going in detail I would like to tell why you need to password protect a website, webpage or a sub directory of your website using htaccess file. Let’s assume that you have a website which is accessible by all, but suddenly you have decided that only a specific portion of the website will remain public where as other will be protected, that means other portions will require authentication to be assessed. So for this you cannot go and implement a complete authentication and authorization system on your web application. A simple .htaccess file configuration would do the job for you very easily. So let’s see how you can password protect your website or webpage with .htaccess file configuration.
Scenarios When You Should Use Password Protected Pages
- Protecting private sections of your website so that people you know, trust will only be able to access.
- You are working on a newer version of your website and don’t want to it to be accessible until it is completely ready.
- Providing paid content to your visitors.
- Creating a private section for selected number of users or may be a private forum for selected number of users.
How to Password Protect a Website or Subdirectory
Before going into the configuration details let’s assume that you want to password protect the directory ‘protectedpages’ and all other web directories should be publicly available.
Basically you need to do 2 things:
- Create a password file that will store the usernames and corresponding passwords
- Create/Modify .htaccess file in the directory which you want to password protect. In our case it is ‘protectedpages’.
Creating Password File
1. Open a standard text editor program and save it as .htpasswd. (You can give any name as you like).
2. Add the user names and corresponding encrypted passwords to this file and save it. You can use this online tool to generate encrypted password or you can use Apache’s htpasswd tool from the command line to generate the encrypted password. The format should be as below:
3. Upload this file to your hosting server in text mode. Make sure you keep this file out side your web server. (It is safe to keep this file out side of the web server so that no one will be able to access it.)
Create/Modify .htaccess File Configuration
1. Create a .htaccess file inside the directory which you want to password protect, skip this step if the file already exists.
2. Add the below entry to the .htaccess file:
AuthName "Protected Zone"
AuthUserFile /complete/path/to/.htpasswd file
In the above configuration replace “/complete/path/to/.htpasswd file” with the complete path to your password file.
Analysis: In the above configuration in the last line you can see “require valid-user” which specifies that it requires any valid user whose entry is there in the password file. In case you want to give access to only one user (Say John) you can write below configuration:
AuthName "restricted area"
require user John
Note: Please be noted that the use John should be present in the password file.
Analysis: The AuthName parameter basically just defines the title of the password entry box when the user logs in. It’s not exactly the most important part of the file, but should be defined. The AuthType tells the server what sort of processing is in use, and “Basic” is the most common and perfectly adequate for almost any purpose. The AuthUserFile parameter defines the complete path to the password file.
Password Protect a Single Web Page or a Single File
Add the below configuration to the .htaccess file in case you want to protect a particular page under a directory:
AuthName "restricted area"
Analysis: In the above code everything remains the same except that you are defining your web page inside the <Files> tag and also we are specifying the ‘require valid-user’ parameter inside this tag.
If you are done with all these configuration perfectly and some one tries to access the protected URL then they will get an authentication popup box.
1. Create the password file and enter the user names and corresponding encrypted passwords and upload this file to your hosting server at a safe location which is not public.
2. Create/Edit the .htaccess file in the protected directory and add the proper configuration to it.
* This will only work on Web servers that support .htaccess, like apache httpd server.
* Make sure that the .htaccess file is text, not Word or some other format.
* To keep your passwords secure, the user file should not be accessible from a Web browser – but it must be on the same machine as the Web pages.