Password Protection

Password Protection


Password protection is a main used feature of htaccess. It is also a bit more difficult to setup and use.

The first thing you have to do is create a new file. This one is called the .htpasswd file. (Notice the file name/extension resemblance to our current subject.) This type of file is created and saved in the same fashion as the htaccess file. The htpasswd file will contain user names and their passwords.

Now that you have the file created, you have to enter the information into it. The information is stored such like... username:password username:password username:password

The username, a colon, and password are on individual lines and do not have any spaces at the end of each line.

Seems easy so far? Well, it's time to toss in a bit of trouble now. The username parts are easy enough as they remain in "real" english. The password parts however must be encrypted. That means it has to be scrambled into a code. This helps our cause for security considering you ARE password protecting something here.

Need to encrypt the password? There are many online scripts available that do this for you. Just do a quick internet search and you should find them. We offer this online service for you through the link below.

OK, you have the file created, you have the usernames and passwords entered. Ready for another twist? The file must be uploaded in ASCII format and stored above your WWW or public_html folder. That is, in your online root (home) folder. (You may have to ask your host provider exactly what path this is and where it is located.)

If you are done all of that, it's time to move onto the htaccess part of the show...

As stated in a previous page, the htaccess file will affect the current directory only plus any subdirectories connected to it. So be sure you are placing this into the right place. Sometimes just one directory part needs protection, sometimes the whole site.

Here is the coding to add to the htaccess file:

Lets break this down to an understandable level now. Starting with the first line.

AuthUserFile /home/pathto/.htpasswd

This lets the browser find the right path to find the htpasswd file you created and saved earlier. After the AuthUserFile you enter a forward slash then continue on with the path leading to the actual filename.

AuthType Basic

There are a couple of different flavors of encryption processing. Basic is the most common and used.

AuthName "Secret Place"

The value in quotes will appear as the title in the popup message box when the visitor hits the protected area.

This tells the browser to check the entered information against the saved htpasswd file.

And that's it. Now when a visitor tries to access a page within a protected directory, they will get a popup asking them for a username and password. If they enter bad information, they will get directed to an error page.

If you wanted to password protect a specific page only, you can try this as your htaccess coding:

You can protect the actual .htaccess file from being viewed by visitors by using this code:

Custom Error Messages