@kentgigger

How To Use htaccess to Password Protect Your Website Or Any Directory

Authors
Password protect your site with htaccess

At times my web server, directory, or entire website needs a password to keep it from the likes of Google or anyone for that matter. This is where the htaccess and htpasswd files come in handy. Honestly, you don't need to think about the htaccess file often unless you like to go old school and want to add redirects for certain URLs (I would not recommend doing this manually.) Load custom error pages, like a 404. Force your site to use HTTPS instead of HTTP. And what I'm going to write about here, is password protecting a directory on your server or preventing hotlinking. More on these other topics in future posts.

Anyway, the htaccess file hasn't crossed my mind for quite a long time until recently when a client asked me how to password protect directories on their website. It got me thinking about how it used to be done and if there is anything new (or better) out there. And really the htaccess file still is the easiest way to get it done. So I decided to document the process so that you can password protect your website or even just specific directories within your site.

Just so you know…this is not considered the most secure method of restricting access to web pages or directories, but it works well enough if you need something simple. This is also helpful as another resource to keep Google from indexing your site before you are ready to launch it.

Table of Contents

So Why Would You Want To Restrict Access To A Website?

You might want to restrict access to your website or any directory on your web server for several reasons:

  • To prevent search engines from indexing certain pages on your website, those pages will not appear in search results even if someone searches for them by name.
  • To prevent hackers from accessing private information (such as email addresses and other personal data) when they try to hack into your website.
  • Force all visitors will see a password prompt. Requesting them to enter their username and password. Those who don’t know this information will be denied access to the protected directory.
  • Private forms on your web server.
  • The entire website is under development and only a few individuals and other users such as QA or stakeholders need access.
  • Provide a username and password for paid users and make it a restricted area.
Password protect your site with htaccess

Setting Up htaccess File And htaccess Password File

A few things to note:

To password protect a directory the htaccess and htpasswd files need to be placed in that directory. To password protect an entire site, place the files in your root folder on your web server. The htaccess files are applied down the directory in a cascading fashion. For example, if htaccess file is in a directory call Product which had subdirectories they would all be password protect directories too.

There can only be one htaccess file for every directory on the web server.

Create The htaccess File For Password Protection

Creating a htaccess file is easy. Just open your favorite text editor, paste in the following code, and save it as htaccess. If your web server already has one in that particular directory the following code can also be added to that htaccess file.

AuthType Basic
AuthName "My Password Protected Website/Page"
AuthUserFile /path/to/.htpasswd
Require valid-user

Okay, let's break down these parameters we've set here:

AuthType Basic

This is saying what type of authentication our web server will be using. Basic authentication is the type of authentication we’re going to use. It’s perfectly acceptable for what we need here.

AuthName "My Password Protected Website/Page"

Sets the title of the password box that appears when someone tries to view your password protected web server or page.

AuthUserFile ../../.htpasswd

The Web server is given directions to your username/password file by telling it where to find ../../.htpasswd. The file path should be relative to the location of the htpasswd file.

The dots indicate that the file is located two folders above the current directory, so to point to a file within the same directory, you could use: ./.htpasswd.

Require valid user

Lets the web server know to require a username and password from anyone trying to access this folder or directory (or any subfolders inside).

Creating The htpasswd File

You can use the htpasswd file to create a new htpasswd file and add one user or additional users to it. The htpasswd file can be endless so each person that needs access to the website can have their own username and password.

Once again open your favorite text editor, paste in the following code and save it as htpasswd file.

user1: encryptedpassword

Where user1 is the username, encryptedpassword is the encrypted password and : is the separator. Once again, you can add multiple usernames and passwords in new lines.

To encrypt passwords for use with the .htpasswd file, use Web 2.0 Generators1 easy tool.

Upload The htaccess File And htpasswd File

To protect a folder and everything in it, place the .htaccess file in the folder. For example, if you want to protect your entire website you can place the .htaccess file in your web server's public_html folder.

The htpasswd file can be placed in the same directory as the htaccess file or any directory. However, make sure the AuthUserFile location/path in the htaccess file is called correctly or nothing will work.

Wrap It Up

In conclusion, we have learned that the htaccess file is a powerful configuration file for controlling access to folders and files on your website. It can be used for password protection, setting up custom error pages, redirecting users, etc. This tutorial taught us how easy it is to protect any directory on your web server with basic authentication by creating two simple files. Also keep in mind this is useful to password protect multiple files across your website. I hope you enjoyed reading this article as much as I had written it! If this helped you in anyway let me know in the comments below. We learned how to create an htaccess login prompt and how the htpasswd file can be secure as long as you encrypted it. I hope someone finds this htaccess password protection write useful. Please let me know.

Here is Apache's Official documentation2 on the htaccess file.

I will note that nginx3 will tell you not to mess around with the htaccess file as it slows things down.

Footnotes

  1. https://www.faa.gov/licenses_certificates/medical_certification/get/

  2. https://httpd.apache.org/docs/2.4/howto/htaccess.html

  3. https://www.nginx.com/resources/wiki/start/topics/examples/likeapache-htaccess/