Authentication with .htaccess

This article explains how to protect your website (or a directory) using the .htaccess file.

If you have root access to web server

Prerequisites

  • Root access to the web server to run the htpasswd command.

Instructions

  1. Log into your web server via SSH.

  2. Type cd to go to the directory you want to password protect.

    To protect the entire website, navigate to the public_html/ folder:

     cd /var/www/mydomain_com/public_html

    To protect a specific directory, ie. mydomain.com/resources/, navigate to the resources/ folder:

     cd /var/www/mydomain_com/public_html/resources/
  3. Type pwd to get the full path of the folder:

     pwd
     /var/www/mydomain_com/public_html
  4. Type htpasswd to create a username and an encrypted password:

     htpasswd -c /var/www/mydomain_com/public_html/.htpasswd my_username

    Note: Make sure to add the above full path of the directory you want to protect followed by /.htpasswd. The .htpasswd file contains the encrypted password.

    Tip: Run htpasswd for as many usernames you want to create.

  5. Change the file permissions of the .htpasswd file:

     chmod 644 /var/www/mydomain_com/public_html/.htpasswd
  6. If you don't have a .htaccess file, create it:

     cd /var/www/mydomain_com/public_html
     nano .htaccess

    Note: If needed, replace nano with vi or vim.

    If you already have .htaccess file, edit it:

     nano .htaccess
  7. Update .htaccess with the path to the .htpasswd file:

     AuthType Basic
     AuthName "Secure Content"
     AuthUserFile /var/www/mydomain_com/public_html/.htpasswd
     Require valid-user

    Note: Do not confuse valid-user with your username, it's a value for the Require directive to accept all valid users found in the .htpasswd file. To accept only a specific username instead of all usernames, use Require user my_username instead.

    To password protect a specific directory, ie. resources/, update the AuthUserFile directive:

     AuthUserFile /var/www/mydomain_com/public_html/resources/.htpasswd
  8. Restart Apacheand navigate to your website or directory to confirm the auth dialog appears.

    Depending on your web server, the commands to restart Apachemay be different.

    • Debian/Ubuntu

        systemctl restart apache2.service

      For older versions (Debian 7.x, Ubuntu 14.10):

        /etc/init.d/apache2 restart
    • CentOS/RHEL (RedHat)

        systemctl restart httpd.service

      For older versions (4.x, 5.x, 6.x):

        service httpd restart
    • Alpine Linux

        service apache2 restart
    • FreeBSD

        service start apache22

If you don't have root access to web server

Instructions

  1. Open File Manager and go to the root folder of the website, i.e. public_html/.

    Depending on your hosting company, this can be done through File Manager or FTP Manager.

  2. Create a new file titled .htpasswd and open it for editing.

  3. Use a .htpasswd file generator to create a username and encrypted password.

  4. Copy-paste the results and save the .htpasswd file.

  5. Skip this stepif you know the full path to the .htpasswd file (ie. /home/my_username/public_html/.htpasswd). If not, continue.

    5.1. Create a new file in the root folder, i.e. public_html/, and title it path.php. Update accordingly if your web server does not run with PHP.

    5.2. Copy the following code and paste it inside the path.php file:

     <?php echo $_SERVER['DOCUMENT_ROOT']; ?>

    5.3. Visit your website URL and append /path.php. Visiting this composed URL should output the full path to your root folder public_html/ folder.

    5.4. Copy the path.

  6. Go to File Manager (FTP Manager etc.) and create a .htaccess file. If you already have a .htaccess file, edit it.

  7. Add the following code in .htaccess:

     AuthType Basic
     AuthName "Secure Content"
     AuthUserFile "/home/my_username/public_html/.htpasswd"
     Require valid-user

    Replace /home/my_username/public_html/.htpasswd with the results from Step 5.3 above.