How do I password-protect my website using .htaccess?July 5, 2007 at 2:39 pm | Posted in .htaccess, .htpasswd, apache | 2 Comments
Htaccess can be used to password-protect directories on your web site. All files and any subdirectories within a directory protected by htaccess will also be protected. So, if you wish to protect your entire web site, simply setup htaccess in your public_html directory (the root of your web site). However, if you only wish to protect certain directories, you may do so separately.
1. Change to the directory that you wish to protect
In the following example we wish to protect a directory called private in our public_html directory.
torch: ~$ cd public_html/private torch: ~/public_html/private$
You also need to know the fully qualified path of the directory you wish to protect. So, from this directory, type pwd and remember the fully qualified path (you will need it in step 4).
torch: ~/public_html/private$ pwd /users/cs/johndoe/public_html/private torch: ~/public_html/private$
In the above example, the fully qualified path is /users/cs/johndoe/public_html/private.
The remaining steps in this guide assume we are still in this directory.
2. Create a file named .htaccess
Use your favourite editor to create a file called .htaccess (note the period at the beginning of the filename). In the below example we will use pico.
torch: ~/public_html/private$ pico .htaccess
3. Add the appropriate lines to the .htaccess file.
Using the editor you chose in step 2, input the following. You will need to modify the first 2 lines to match your configuration (see modifications below).
AuthUserFile /users/cs/johndoe/public_html/private/.htpasswd AuthName "Title for Protected Site" AuthType Basic Require valid-user
- Beside AuthUserFile, put the fully qualified path you obtained in Step 1, with /.htpasswd immediately following it. The above example shows /users/cs/johndoe/public_html/private/.htpasswd
- Beside AuthName, input the words or phrase that you wish to appear as the title for the username/password input box.
4. Create the .htpasswd file by adding usersNext use the htpasswd command to create your password file and username/password pairs:
torch: ~/public_html/private$ htpasswd -c .htpasswd bob New password: Re-type new password: Adding password for user bob torch: ~/public_html/private$
This creates the .htpasswd file and the username bob. You will then be prompted for a password for bob, which will be stored in the .htpasswd file (note that it will be encrypted in this file for security).
So, to create new users and change the password for existing users, switch to the protected directory you wish to add a user for, and type htpasswd -c .htpasswd username
torch: ~$ cd public_html/private torch: ~/public_html/private$ htpasswd -c .htpasswd username
5. Set the permissions on your .htaccess and .htpasswd file
Finally, from within your protected directory, make both the .htaccess and .htpasswd files world-readable. You can do this with the command chmod a+r .htaccess .htpasswd.
torch: ~/public_html/private$ ls -al total 10 drwxr-xr-x 2 johndoe csugrad 512 Jan 7 14:30 . drwxr-xr-x 8 johndoe csugrad 512 Jan 7 11:50 .. -rw------- 1 johndoe csugrad 156 Jan 7 12:05 .htaccess -rw------- 1 johndoe csugrad 18 Jan 7 11:59 .htpasswd torch: ~/public_html/private$ chmod a+r .htaccess .htpasswd torch: ~/public_html/private$ ls -al drwxr-xr-x 2 johndoe csugrad 512 Jan 7 14:30 . drwxr-xr-x 8 johndoe csugrad 512 Jan 7 11:50 .. -rw-r--r-- 1 johndoe csugrad 156 Jan 7 12:05 .htaccess -rw-r--r-- 1 johndoe csugrad 18 Jan 7 11:59 .htpasswd torch: ~/public_html/private$
Above we can see that the permissions on .htaccess and .htpasswd change from -rw——- to -rw-r–r–.
Now, anytime you attempt to view your protected directory, any file within it, or recursively any subdirectory of it, you will be prompted for a username and password. Please refer back to Step 4 if you wish to add more users or change a user’s password.
Troubleshooting / Common Problems
Below are the most common problems experienced by users attempting to setup htaccess.
- Permissions on both .htaccess and .htpasswd – Both the .htaccess and .htpasswd files need to be world readable. Please refer to Step 5 to ensure this has been done properly.
- Fully qualified path to .htpasswd incorrect – The correct fully qualified path to a valid .htpasswd file must appear beside AuthUserFile in the .htaccess file. Please refer to Step 3 and verify this is correct.
- The username doesn’t exist in .htpasswd – When attempting to login as a user, they need to have been correctly added to the .htpasswd file using the htpasswd command. Please refer to Step 4 to double-check.
How do I remove htaccess protection?
To remove htaccess protection, simply delete or rename the .htaccess file in the directory you wish to remove protection from. The below example shows how to rename .htaccess to .htaccess-old.
torch: ~/public_html/private$ mv .htaccess .htaccess-old
Should I be using .htaccess to protect highly sensitive data?
If you decide to protect something using .htaccess, be sure to understand one thing: the protection of your data relies upon the web server configuration. This means if the configuration changes, it might be possible for someone to retreive your data. As a general rule, it’s bad practice to place anything highly confidential or critical on a web server, period. There are numerous other options for storing and accessing sensitive data. Always remember, the web was originally designed for public access, and so access control is really an addition.
If the page you are protecting is http and not secure http, then your username and password will be sent across the network in plain text. A secure http address is always prefixed with https:// instead of http://. If you are accessing any site through http://, you should be aware that it is possible for someone to capture your traffic and extract your password. A good guideline to follow is ensuring that all htaccess passwords do not correspond with any other passwords. Do not forget that you are solely responsible for keeping your password private.
If you’re looking to implement this on your own web server, then you should bypass htaccess altogether and simply enter the commands into the httpd.conf (apache configuration) file and specify which directories to which this should apply. The commands that are valid within htaccess are also valid in your apache configuration file. Putting it in the apache configuration helps to speed things up and simplifies web server management.