At some stage most of you will find the need to restrict the access of
content to specific users. This can be for a number of reasons, such as the development of a member section,
or the creation of private media content.
This guide illustrates how to password protect a directory of your website in a matter of minutes using .htaccess and .htpasswd files.
Unlike alternative methods such as custom written PHP/ASP scripts
this method is extremely simple and doesn't require HTML/PHP/ASP pages to protect the content.
This enables the protection of folders that only contain images or other media.
The guide is set out as follows. It is not designed to provide a comprehensive guide to
password protecting directories, but it should be adequate for your needs.
- An introduction to .htaccess files
- Creating the .htaccess file
- Creating the .htpasswd file
- Uploading the .htaccess and .htpasswd files
.htaccess (short for hypertext access) files serve as directory level configuration files for
Apache HTTP Servers. They are commonly used for restricting access, password protecting directories, customizing error documents and rewriting URLs.
The .htaccess files are hidden from view, and apply to the folder in which they are located, along with any sub folders within that folder (providing they don't have their
own .htaccess file). This guide will focus on the .htaccess file's ability to password protect a directory.
To protect a directory, you use the .htaccess file to tell the server that the folder requires password authentication in order to gain access.
.htaccess will reference a separate file, usually with the filename .htpasswd, that contains accepted usernames and passwords. 
When a visitor attempts to gain access to the restricted area, a login box will appear. If the user inputs a correct username/password combination they will
be granted access. If the user does not, they will see a "401 Authorization Required" error page. Below are some example login boxes for Internet Explorer and Firefox.
To create a new .htaccess file you can simply use Notepad or any other text editing program. When you save the file using the Save dialog box, I recommend placing .htaccess
within parentheses ".htaccess" to avoid the software saving the file as .htaccess.txt or with some other file extension.
Below is an example .htaccess file:
AuthName "Restricted Area"
The code above can be explained as follows:
- Line 1 is optional, and states the text to display within the login box that appears when a user tries to gain access.
- Line 2 states the authentication type. Basic is the most common, and will suit your purposes here.
- Line 3 states the location of the file that contains the accepted username/password combination(s).
The recommended location for the .htpasswd file will be discussed later. If you don't know the
full path to your root directory, ask your web hosting provider.
- Line 4 states that all username/password combinations in the .htpasswd file can be accepted. If you only wanted one username/password
combination to work, you could replace line 4 with the line below. This line states that only the username "bob" and its corresponding password can be accepted.
The .htpasswd file will list all username/password combinations that are accepted.
It takes the format username:ecryptedPassword. A typical file is depicted below.
If you had numerous username/password combinations that can be accepted, the file would look something like:
The obvious step now is to create the encrypted password text to place in the .htpasswd file. This can be done using scripting
languages such as PHP using the crypt() function. An easier way, though, is to use an online password generator. Walshaw.com has
a free .htpasswd generator located in the Tools section.
Simply enter a username and password into the form, and the .htaccess and .htpasswd content is generated for you.
You should note the password is not decryptable.
Also, when you use the password generator, you will get a different encrypted code each time.
This is due to a randomly generated salt that is used to base the encryption on. These will all work,
as the server will know how to interpret the salt.
Once you have created your two files, the next step is to upload them. Placing the two files in the appropriate
locations and setting the correct file path on line 3 of the .htaccess file will make the difference between the
password protection working and not working.
The .htaccess file needs to be uploaded into the folder that it is intended to protect. If you want to protect
a collection of sub folders, then you should upload it into the uppermost directory that you wish to protect.
For example, a .htaccess file uploaded to www.yoursite.com/mystuff/media/ would protect that folder along with
www.yoursite.com/mystuff/media/images/, and so on.
For security purposes the .htpasswd file needs to be uploaded above your public web directory. For example, when you log into
FTP you have a folder called something like htdocs/ or public_html/ where you upload all your web files. Anything
within the public folder can be accessed using a browser. Anything above the folder can only be accessed and seen
using FTP. This is where you need to place the .htpasswd file. Take for example the directory structure below:
You can see that the .htpasswd file is located above the root web directory (called public_html), out of the sight of web surfers.
When you reference the location of the .htpasswd file in the .htaccess file you use the absolute file path
of the .htpasswd file, not the file path relative to the .htaccess file. If you don't know the full path to your
root directory, ask you hosting provider. If your server accepts PHP files, you can create a file using the code below
to find the full path to your files.
If you upload and run the file, then scroll down the resulting page to Environment, you will see the document root. If
the document root looks something like:
/home/users/web/t123/yourName/public_html/, then the server path you should input into
line 3 of the .htaccess file would be /home/users/web/t123/yourName/.
I labor this point because it is so important, and it is where most people slip up. If you upload the two files
but find the server doesn't accept the username/password combination you entered, the most likely fault is an
incorrect reference to the .htpasswd file within the .htaccess file.
Once the files are uploaded, and providing the files are configured properly, your directory is now password protected.
Some Handy links