Keep Out!
There are likely to be areas of your website that you don’t want others to be able to access, such as admin areas. Or sometimes you might want to do some quick updates to your code without the website being accessible to the public. If you’re using the Apache web server the hypertext access (.htaccess) file lets you add password protection in a flash!
.htaccess
Apache has a built-in way of protecting entire directories (and sub-directories) from unauthorised users. Let’s assume that you are protecting your /admin/ directory.
If you don’t have an .htaccess file in the admin directory you will need to create one. The .htaccess file then needs just 4 lines of code to turn on password protection:
AuthType Basic AuthName "Admin Area" AuthUserFile /system/path/to/.htpasswd Require valid-user
AuthType
The AuthType directive selects that method that is used to authenticate the user. “Basic” is the most common method and is fine for what we are trying to accomplish.
AuthName
The AuthName directive sets the Realm that will be used during authentication. The Realm has two uses. Firstly, the web browser often presents this information to the user as part of the password dialogue box. Secondly, it is used by the web browser to determine which password to send for a given authenticated area. Once a user has authenticated in one Realm, the web browser will automatically retry the same password for any area on the same server that is marked with the same Realm. This means that a user will not be prompted for a password more than once if multiple restricted areas share the same Realm.
AuthUserFile
The AuthUserFile directive sets the path to the password file that stored usernames and encrypted passwords for your users. This is the system absolute path and not the path within your web space.
Require
The Require directive provides the authorisation part of the process by specifying the user that is allowed to access this area. You can specify a single user or “valid-user” to allow anyone in that is listed in the password file, and who correctly enters their password.
Set Up A .htpasswd User List
Once the .htaccess file has been set up, we need to create the .htpasswd file so that Apache knows which users should be granted access to our admin area.
.htpasswd files are text files that list each user and their encrypted password on a new line like so:
admin:PAzNeZcFJV3Vk bob:oRCu8rlaPEaTs frank:1VhSkx7Q37ZYQ
(Passwords are encrypted with a one-way algorithm, so you can’t decrypt the password even if you know the encrypted value.)
Apache comes with a utility that will generate your .htpasswd file and add users with encrypted passwords that you specify. However, we will assume that you don’t have shell access, which is needed to use Apache’s htpasswd utility.
An easier way to generate your .htpasswd file is to use one of the many online .htaccess password generators that will pretty much do everything for you.
One such website is Dynamic Drive’s .htaccess password generator, which provides the code needed in both your .htaccess and .htpasswd files.
Turn Password Protection On
Once you have generated your .htaccess and your .htpasswd files you simply upload them to the directory that you wish to protect. Take care not to overwrite an existing .htaccess file, or you will lose the functionality that it added. If an .htaccess file already exists you should simply add your new code to it.
Conclusion
Apache comes with methods of setting up basic authentication in minutes, so you no longer need to worry about unauthorised users accessing parts of your website that you want to keep private!
