How to use htaccess to password protect your website
November 29th, 2017
Warning: This post is 7 years old. Some of this information may be out of date.
There are many reasons why you would want to password protect your website, or a section of your website. For example, your website could be under development and should only be accessible by yourself or your clients. Or you may want to limit access to an admin area or a photo gallery.
If your website is served via the Apache web server, password protecting specific areas can be implemented quite easily using a .htaccess
file. The process consists of two parts. The first step is to generate a password file. The second step is to implement the rules and reference the file.
Step 1: Creating the password file
To create the password file you should use the htpasswd
command line tool. This is usually installed as part of the Apache web server. SSH in to your server and run the following command:
htpasswd -c .htpasswd <username>
Where <username>
is the name you want to use in the 'User name' section of the login prompt. When you hit enter it will prompt you for a password, and then ask you to confirm it. Note that you won't see anything on the screen when you enter your password.
> htpasswd -c .htpasswd Andrew
New password:
Re-type new password:
Adding password for user Andrew
When this is done your password will be encrypted in the .htpasswd
file. To see this, use the cat
command:
> cat .htpasswd
Andrew:$apr1$ljvK4NbA$ww9drMuLx3FKwXu0ofkZh1
For security reasons you MUST keep this file OUTSIDE of your website public directory. A good place to put this is one directory above your web directory. E.g, if your website is served from /home/username/public
, your password file would live at /home/username/.htpasswd
.
Step 2: Adding the htaccess password protection
Now that you've created the password file you can set up the htaccess file to handle the password protection. Inside your website public directory, either create or edit the .htaccess
file and add the following:
AuthName "Password Protected Website"
AuthType Basic
AuthUserFile /home/username/.htpasswd
Require valid-user
Save the file and browse to your website – you should get a prompt asking for your Username and Password:
If you wanted to password protect a specific directory on your website, simply create or edit the .htaccess
file inside the directory and add the code above.