How to Password Protect a Directory on Your Website

Linux, Security, SSH, Webserver 6

Hi Friends,

Today I will show how to password protect a directory on your website, i.e. if we want to make available a directory only to a selected number of people, we protect the directory with the password.

If you are hosted with cPanel server and if your hosting provider provides the facility for protecting directories, then this can be easily set from cPanel (Go to the Files section and click on the Directory Privacy icon) and it will also save our time. This does not require any kind of technical knowledge as well.

However if your hosting provider does not provide such facility, then you can protect your directory by following the below mentioned steps.

 

System Requirements:

  1. Your site must be running on an Apache web server.

  2. Your web host must have enabled .htaccess processing, i.e. they allow you to customize your web server environment using localized configuration files called .htaccess files.Generally it is enabled by all the hosting provider.

  3. You must have shell access.

 

Steps to Protect a Directory with a Password Using .htaccess on Apache:

  1. Create a .htaccess file:

You can use any text editor to create it. Create the file .htaccess in the location where you want to protect the site or directory (like “/home/your-account-name/public-html/gallery” if we would like to protect the sub-directory gallery and write the below contents and save it:

 

AuthName "Protected Area"
AuthType Basic
AuthUserFile /path/to/your/directory/.htpasswd
require valid-user

 

Definition:

AuthName:

Change “Protected Area” to any name that you like. This name will be displayed when the browser prompts for a password.

AuthType:

It is the type of the authentication. This must be basic. So do not change it.

AuthUserFile:

The “AuthUserFile” line tells the Apache web server where it can locate the password file.

Ideally, the password file should be placed outside any directory accessible by visitors to your website. For example, if the main page of your web site is located in “/home/your-account-name/public-html/”, then place your .htpasswd file in “/home/your-account-name/” so that it should like “/home/your-account-name/.htpasswd”.

require:

This is a type of authentication in which we specify who all are granted to access the site, after entering the authentication. In above, we specify “valid-user”, this means correct username and password should be given to access the page. Do not change this. This must be “valid-user”.

 

2. Set Up the Password File (.htpasswd):

We need to create a file .htpasswd in the home directory that will contain the username and password (password will be stored in encrypted format).

Use the below command to create the file called .htpasswd, username and password:

htpasswd -c .htpasswd your-user-name

where

htpasswd is the utility to create a file containing username and password.

-c is to create a file name .htpasswd.

.htpasswd is the name of the file that we are creating.

your-user-name is the login name of the user you want to give access.

Note: The user name should be a single word without any intervening spaces.

Once you execute the above command, you will be prompted to enter the password for that user.

 

 

When this is done, the htpasswd utility creates a file called .htpasswd in your current directory (home directory). You can move the file to its final location later, according to where you set the AuthUserFile location in .htaccess, because the above command will create a file “.htpasswd” in the current working directory(CWD).

If you want to create more than one user for same directory, then you need to create the username and password for them as well. Use the below command to create another user for the same directory.

htpasswd .htpasswd another-user-name

Notice that this time, we did not use the “-c” option.

When the “-c” option is not present, htpasswd will look for an existing file by the name given (.htpasswd in this case), and append the new user’s password to the same file.

IMPORTANT: If you use “-c” for your second user, you will wipe out the first user’s entry since htpasswd takes “-c” to create a new file and overwriting the existing file, if present.

 

 

The content of the file “.htpasswd” will look like the below image:

 

 

The above file “.htpasswd” has two different users”Shashank” and “Shekhar“. The password for both the user is also different, as we have provided different password for both. The above password is also on encrypted form so that no one can know the password, if they see the file “.htpasswd“.

Also make sure that the permission of the file “.htpasswd” is 644 (i.e. rw-r-r). Check the permission of the file by executing the below command:

ls -al | grep .htpasswd

 

 

We are checking the permission of the file “.htpasswd“, to know this should not be written by other than you who has an account on the same server as you.

If you have followed all the steps carefully and everything is same as described here, then you are all set now. Access your site that you have protected and you see that the below login prompt.

 

If you face any issue in setting these, feel free to comment below. I will be more than happy to help you.

 

Powered by Facebook Comments

6 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.