Password Protecting Your Web Pages

This page will show you how to add server side password protection to a directory on your website. It assumes that your web site is hosted on an Apache server (most are). To do this you must be able to use .htaccess configuration files with your webspace. You will have to check with your ISP to see if they allow this. Generally commercial web space providers may allow you but free space providers very rarely will. There are various other weird protection methods involving Java but these methods are often not very secure.

Important: - This page assumes that you are a fairly experienced computer user and know how to use UNIX/Linux telnet commands. If you don't then you may not manage to follow these instructions.

To be able to password a directory, and all the files in it you need to:

1. Create the directory that you want to protect.
2. Place a .htaccess file and a .htpasswd file in it .
3. Make the .htaccess and .htpasswd files readable 'chmod 666 .htaccess' and 'chmod 666 .htpasswd'
4. That's it. The directory and all the pages inside are now password protected.

A .htaccess file allows you to set up a number of preferences for the folder in which it is places. The example one below is set up to protect the directory at http://www.advancedhtml.co.uk/password/ by only allowing access to this directory if you know a valid username / password combination. /home/username/html/password/ is the UNIX path to the protected directory. You will have to change this line so that it refers to the directory that you want to protect. The encoded passwords are stored at http://www.advancedhtml.co.uk/password/.htpasswd and the configuration file is at http://www.advancedhtml.co.uk/password/.htaccess

deny from all
allow from all
AuthUserFile /home/username/html/password/.htpasswd
AuthGroupFile /dev/null
AuthName PasswordDemo
AuthType Basic
<Limit GET>
  require valid-user
</Limit>

To create the password file you will need to use the UNIX program 'htpasswd'. You can either use it directly from your web server if you are allowed shell access or you will have to get access to a UNIX computer and create the .htpasswd file from there. Below is the password file that is in the 'password' directory. The word befor the colon is the user name and the string after the colon is the encoded password.

demo:G5cCGM5MULa7E

Below in bold is what you type in to create a user called 'demo' with the password 'password' in a file called '.htpasswd'. The bits in bold are what you type in.

[root@procyon /root]# htpasswd -c .htpasswd demo
Adding password for demo.
New password: password
Re-type new password: password

The '-c' option creates the file. To add more users and passwords to the file simply miss out the '-c' option. The htpasswd program comes as part of the Apache web server.

Password Demonstration - Type in 'demo' for the user and 'password' for the password.

If you get stuck then try downloading my demonstration set of files. All you have to do is upload them change the dirctory path to the password-protected directory and set up the correct file permission. Password Demo Files .

Adding More Security
Restricting access to a specific domain

As well as requiring that the user type in the correct password, you can also require that they come from the right domain. For instance if I was signed up with the ISP Demon then I could make the below alteration to the file.

deny from all
allow from demon.co.uk
AuthUserFile /home/username/html/password/.htpasswd
AuthGroupFile /dev/null
AuthName PasswordDemo
AuthType Basic
<Limit GET>
  require valid-user
</Limit>

This would only allow access to people who know the right password AND who are on the ISP Demon. This therefore makes it a lot harder for someone from a .com or .net domain name to hack into your protected pages as only demon.co.uk domains are allowed.

Banning a specific domain

You can also ban specific domains, which will prevent people from this domain from accessing any of the pages on your site.

<Limit GET>
  order allow,deny
  deny from badguys.co.uk
  allow from all
</Limit>

This will prevent all people from the badguys.co.uk domain from accessing your site.

Further reading

I have a page on using .htaccess files for a variety of other purposes.