RMacD.com

dave:a9d921jf9c

Next, upload this file to your web space. Make sure you place it outside the Web root of your site if possible, as you don't want just anyone to be able to view the file! For example, place it above your public_html or htdocs folder.

If you can't place your .htpasswd file outside your Web root, name it something that's not easily guessable - for example, .ajfiwpo - so that people won't be able to guess the filename.

If you uploaded the file as a.htaccess, now's the time to rename the file to .htaccess. If this does not work, get in touch with your web host for technical help, or drop me an email.

Alternative Method

If you have SSH access to your web server (or you're running Apache on a local machine), you can encrypt your password and add it to your password file in one go by using the htpasswd utility that comes with Apache. Simply SSH to your server or open up a terminal window on your local machine, cd to the folder where you want to create your password file, and type:

(where fred is the username you want to use). You'll be prompted to enter and retype your password, then the .htpasswd file will be created for you.

Creating the .htaccess file

Now that you have created and uploaded your password file, you need to tell Apache to use it to protect your page(s) or site. This is what your .htaccess file will do.

Open your text editor again, create a new file, and save it as .htaccess.

Protecting a folder

To password protect a folder on your site, you need to put the following code in your .htaccess file:

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "My Secret Folder"
Require valid-user  

/full/path/to/.htpasswd should be the full path to the .htpasswd file that you uploaded earlier. The full path is the path to the file from the Web server's volume root - not the web site's. For example, /home/username/.htpasswd or C:\wwwroot\username\.htpasswd. (If you're not sure of the full path to your site directory, ask your web host for this information).

The above .htaccess file will password protect all files in the folder that it is placed in, and all sub-folders under that folder too. So if you wanted to password protect your entire site, you would place the .htaccess file in your Web root folder.

If you use a web-based administration interface on your site, double check you've done everything above correctly - otherwise, you'll block yourself out!

Protecting Individual Files

To password protect just a single file in a folder, use the following .htaccess file:

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "My Secret Page"
<Files "mypage.html">
    Require valid-user
</Files>

This will password protect just the mypage.html file in the folder where you put the .htaccess file.

Uploading the .htaccess file

Once you've created your .htaccess file, upload it to your website, placing it in the folder (or folder containing the file) that you want to protect.

Browsing to the protected area of your site, you should now see a password dialog. Type in the username and (unencrypted) password that you chose earlier, and you should be given access to your folder or file.

Troubleshooting

If you can't access your stuff and the dialog keeps popping up, check that you entered the username and password correctly. If it still doesn't work, check the path to your .htpasswd file on the server - make sure the path specified in the AuthUserFile directive is correct. Also make sure that both the .htpasswd and .htaccess files are readable by the Web server user (chmod 644 should do the trick for UNIX/Linux/FreeBSD servers).

If the password protection isn't working (i.e. you can still access your stuff without needing to enter a username/password), check that you uploaded your .htaccess file to the right folder. Also check that your web server supports .htaccess password protection (it needs to be an Apache server, and your server admin needs to have enabled the AuthConfig override for your site).

Password Protecting Additional Content

• If you want to password protect other folders (that aren't under the currently protected folder), simply copy your .htaccess file to the new folder to be protected.
• To password protect more than one file in the same folder, just create more <Files></Files> blocks within the same .htaccess file - for example:

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "My Secret Page"
<Files "mypage.html">
    Require valid-user
</Files>
<Files "myotherpage.html">
    Require valid-user
</Files>

Adding more usernames and passwords

You're not restricted to just one username/password. If you want to add other usernames and passwords, simply repeat the "Creating the password file" procedure above, but add each new username/password line to your existing .htpasswd file, e.g.:

fred:p29cmnwl4a0et  linda:vwp45xakfh89  

Alternatively, if you're using htpasswd to create your passwords, as described earlier, then you can add extra users with the command:

htpasswd .htpasswd ronald

(where linda is the username you want to add). Make sure you don't include the -c option when adding additional users, or htpasswd will attempt to create a new password file!

Further info

For full information on Apache's mod_auth module (the module that does password protection, amongst other things), see the Apache mod_auth documentation.

Revised February 2008 © Ronald MacDonald.