How would you password protect a directory using .htaccess?
Let’s first go through what a sample .htaccess file should look like if we want to password protect a directory using the .htaccess file. Then we will explain in detail what each part means. Here is the sample .htaccess file:
AuthName "Restricted" AuthType Basic AuthUserFile /home/username/.wp-admin require valid-user
In order to turn on password protection, at the very minimum we must use the AuthType, AuthName, AuthUserFile, and require directives.
The AuthType Directive
The AuthType directive will just tell Apache what level of authentication should be used. We just set it to “Basic” for the simplest form of authentication. The other options for AuthType are None – which means no authentication – Digest, and Form, which both provide higher levels of security than “Basic”.
The AuthUserFile Directive
The AuthUserFile is a directive used to specify the file that will be used to store the username and password. More specfically, the AuthUserFile directive specifies the actual path to the file that stores the username and password.
The file name used for the AuthUserFile can be anything you want it to be. The typical name used is .htpasswd. But, you can even use something like .wp-admin, which is a commonly used name for sites running WordPress.
What to put inside the .htpasswd file
Inside the .htpasswd file, you will need to put in a username and an encrypted password – this will be the username and password input by anyone who tries to access the password protected file or directory. You will need to come up with an encrypted password by looking at the examples on this page: http://httpd.apache.org/docs/current/programs/htpasswd.html. You can choose the username to be used inside the .htpasswd file as well.
Understanding the AuthName directive
The AuthName directive is used to set the Realm that will be used during authentication. In our example above we just set the Realm to “Restricted” – note that this is just an arbitrary string and we could have set it to anything we wanted, like “Security Zone”. What exactly is the Realm? Well, there are 2 primary functions of the Realm. The first thing is that the browser displays the string used to define the Realm – in this case, “Restricted” – inside the password dialog box (where the user is prompted to input the username/password combination). The second function of the Realm is that it is used by the browser to figure out which password should be used for an authenticated area.
This means that once a user has already input a valid password for the “Restricted” area, the browser will automatically retry that same password for any area on that server that is marked using the “Restricted” realm. So it basically means that the user may not have to be prompted multiple times for the same password as long as he/she is trying to access files/directories that share the same realm.
With that said, if you just want to password protect a single file or a single directory, you probably will not be concerned with the realm set by the AuthName directive. And you can just use any arbitrary string that comes to mind for the AuthName directive – it should not matter to you (unless of course your server administrator says otherwise!). But, we wanted to actually explain what the AuthName directive means instead of just telling you to use it.
Understanding the require directive
The require directive is used to tell Apache which users should be let in to view the restricted material. In this case we just say require valid-user, which just means that all we want is a user who has input the right credentials – the correct username and password basically. The Require directive could accept valid user names, or even a group of valid user names.
Summary of how to password protect a directory using .htaccess
Now that you understand (hopefully) all the details of what goes into the .htaccess file, let’s summarize the steps that go into enabling password protection in the first place.
First, if you just want to password protect a directory, you will need to start by creating an .htaccess file in the same directory that you want to password protect. If you already have an .htaccess file in that directory, then you can simply just copy these Apache directives into the existing file, or just create a new file You can use this sample .htaccess file:
AuthName "Restricted" AuthType Basic AuthUserFile /home/username/.htpasswd require valid-user
Second, you will need to create a .htpasswd file. You should place this file somewhere on your server where it can’t be accessed by the public. And, of course you will need to change the path specified by the AuthUserFile directive so that it correctly points to the .htpasswd file.
Inside the .htpasswd file, you will need to put in a username and an encrypted password – this will be the username and password input by anyone who tries to access the password protected file or directory. You will need to come up with an encrypted password by looking at the examples on this page: http://httpd.apache.org/docs/current/programs/htpasswd.html. You can choose the username to be used inside the .htpasswd file as well.
And that’s it! Follow these steps and you should be good to go!