How to password protect your website with the htaccess file

As I am writing these words, my entire website is password protected except for a few links. I have done this in this way in order to work on it and learn little by little without anything being public. It is very easy to do, with a simple file which you have to place in your web server. However, if you are using wordpress or another CMS, maybe there are better ways to do this. I also have to warn that I have tried this with an apache server, I don’t know whether it would be the same for others.

The file is called .htaccess and depending on what you want to achieve you will need to configure it differently. You can require a password for one or several users at your election to access one, several or all the resources that you host on your web.

If you want to protect the entire web you must create (or modify if you already have it) the .htaccess file in the main directory, which in my case is similar to this: “/kunden/homepages/39/d912951239/htdocs”. If you want everything to be public except some links, you should create the file in the folder you want to require a password, for example this one: “/kunden/homepages/39/d912951239/htdocs/private”.

Depending on whether you want to use a single user or more, you have to do one thing or another. If you only want to use one user, the best option is to use the same user that the hosting gives you to access their services by sftp or ssh. It is the safest way since the file where the encrypted password of your user (htpasswd) is stored, only has read permission for root. However, this is the case in the company where I host the web, but I do not know if this is the case everywhere.

-r-------- 1 www-data ftpusers 118 jun 19 21:46 htpasswd

User provided by the hosting

This method is the easiest, the first thing you need to do is locate the htpasswd or .htpasswd file on the server. Then, modify .htaccess with the following lines, replacing my information (route to the file and user name) with yours:

1
2
3
4
5
AuthType Basic
AuthName "Dialog prompt"
AuthBasicProvider file
AuthUserFile "/kunden/homepages/39/d912951239/htpasswd"
Require user u102573847

You can now upload the file and when you reload the page, a window should appear in your browser requesting the username and password. Be careful, check if the data is sent by HTTP or HTTPS, since if it is the first option, the password will travel without encryption. To force HTTPS connection it is recommended to use HSTS, which can be easily done by adding a few more lines to the same .htaccess file we are modifying righ now. I will write another post talking about this.

One or more users of your choice

If you want to use usernames and passwords created by yourself, you need to create your own htpasswd file as follows:

  1. Connect via ssh to the server
  2. Go to the directory you want to protect
  3. Use the following command, filling it with your info.

htpasswd -c <path>/.htpasswd <user>

Where “user” is the username you desire, “path” is the path to the directory where you want to be the file created, and -c is the option to create the new file. Pressing enter will ask for the password of the new user. To create more than one users remove the -c option. Example of the command:

htpasswd -c /kunden/homepages/39/d912951239/private/.htpasswd mynewuser

If I wanted another user:

htpasswd /kunden/homepages/39/d912951239/private/.htpasswd myseconduser

Now fill .htaccess file with these lines, replacing my info with the one you just created:

1
2
3
4
5
AuthType Basic
AuthName "Dialog prompt"
AuthBasicProvider file
AuthUserFile /kunden/homepages/39/d912951239/private/.htpasswd
Require valid-user

If you have more than one user, requiring a “valid-user” will look into .htpasswd for matching names and passwords.

More information

If this is not exactly what you were looking for, or you are having trouble, everything is explained in apache documentation.