You can password protect specific directories on your website very easily in just a few minutes. You might want to password protect a directory to:
- Restrict access to certain directories so that only you can access them
- Allow certain users to view content specifically for them
- Prevent bots and search engine spiders from indexing the content
Password protecting a directory using a control panel
Some commercial web hosts which offer a control panel (like cPanel, for example) will allow you to password protect a directory in a few short steps with the click of a mouse. The process in cPanel is this:
- Log in to your cPanel account.
- Under Security, click the icon which says Password Protect Directories.
- In the pop up window, select the directory you'd like to navigate to.
- Select the directory you want to password protect from the list and click it.
- Create a username and password for this directory, which you'll need to enter whenever you visit it.
If you don't have access to this control panel, or would prefer to do it manually, we can use built-in Apache functions to achieve the same thing.
Adding password protection to a folder in Apache
To get started with password protecting your directory, you'll need the following:
- A web server which is running on Apache.
- A web host that allows you to create and modify a .htaccess file to customize your server configuration.
- Shell access (SSH) so that you can access your web server using a command line interface. (You need to know how to connect to your server using SSH too).
Setting up your .htaccess file
The first thing we need to do is set up your .htaccess file so that the web server knows where to look for the password file and the authentication type as well. Your .htaccess file should look like this:
AuthName "Password Protected Area" AuthType Basic AuthUserFile /your/directory/.htpasswd require valid-user
The AuthName line will be shown in the browser to anybody trying to access the folder and you can change this to whatever you'd like to give more details about what the directory is.
AuthType lets the server know what type of authentication is needed. Setting this to Basic is the common type of authentication. If you plan to password protect sensitive data, you'll need to use SSL (Secure Sockets Layer) encryption. That's beyond the scope of this tutorial, though. For now, leave this as Basic.
AuthUserFile is where we will point the server to our password file. We will create that file in the next step and it should ideally be located outside of a folder which is accessible from a web browser. So if your site files are in
/my-site/public-html/ you might want to put this file one directory back, into
/my-site/ to avoid this file being accessed via the web.
Always be sure to use the entire path to this directory.
Once you've made these changes, you can save your .htaccess file and upload it to the directory you want to protect using FTP.
Setting up your .htpasswd file
To create your directory password file, log in to your server using secure shell (SSH) and find your home directory (which can usually be done by using the change directory command cd and then pressing Enter).
(Note: your password file can be named whatever you like, but for ease we'll use .htpasswd in this tutorial)
Use the following command to create your password file with a username:
htpasswd -c .htpasswd user-name
user-name should be a single world with no spaces and once you press return you'll be prompted to create a password for this user as well. The htpasswd utility built into Apache will create the password file for you (in this case
.htpasswd) and place it in your current directory.
You can move this file to a different directory if you specified a different location in your
AuthUserFile line of .htaccess.
To add passwords to your file for additional users you want to grant access to the directory, you use a slightly different command:
htpasswd .htpasswd another-user-name
In this command,
-c is not used since we already created the file we need. Without that part of the command, Apache will instead look for the existing file, which is
Be careful, because if you do use
-c it will overwrite the original file and create a new one.
Viewing the contents of your .htpasswd file
To check whether you have done everything correctly, you can view the content of the password file you created with another quick command:
cat is a popular command which allows you to do various different tasks. In this case we're using it to view a file. In the file, usernames are stored in plain text, next to an encrypted password. Your password file might look something like this:
You can see that this file has two users and are paired to the password using
username:password. These passwords are not the actual passwords you chose, and they are encrypted using one of a few encryption types depending on the server set up.
Checking the permissions of your .htpasswd file
We need to make sure your password file has strong permissions so that they can't be accessed by anybody else. To do this, we can list the files in a current directory using this command:
ls -al .htpasswd
ls command shows the list of files in a directory and -al means to show all listings, and the long version of those listings (including the permissions of the file – which is what we want).
If your htpasswd file has a listing like the following, we need to make some changes:
-rw-rw-rw- (more outputs) .htpasswd
rw means the file is readable and writeable by the owner (you), which is what we want. But the second and third
rw‘s means that it is also readable and writeable by everyone in the same user group as you and anybody who has an account on the server, too.
We need to make this more secure by changing the permissions to:
chmod 644 .htpasswd
This will change the file permissions of your password file to 644, which gives you read and write access, but only read access to everybody else.
Testing your password protected directories
The final step is to use your web browser and visit the directory you've password protected to make sure it requests a username and password, and allows access once you have provided the correct credentials.
It it works, you'll have access to the folder and any files contained within it.