Recently a serious security flaw was discovered on one of my webpage where a folder which was intended to be accessed just by admin was open for access to anyone. I somehow ignored that folder as it was lying there for years.
Fortunately before those sensitive information could compromised, one of the site follower sent me an email describing the serious flaw in security. I acted promptly and secured those folders with passwords.
It is always a good idea to add password protection to any of the folders / webpages of your website if you want restricted access on them.
Here I will describe an easiest way to add password protection to your webpages.
1. Easy and Automated Way
First, let us see the easy way of adding password protection to a webpage. In the CPanel of your sites hosting server you can configure folders and add passwords to those folders/pages.
Login to your CPanel and scroll down to see the Security box
Select Password Protect Directories under Security. It will open up a page where all the folders will be listed.
Click on any of the folder name where you want to add password protection. If you want to add password to a subfolder like /myweb/mysecretfolder/ than click on the folder icon and it will list all the subfolders under it. Once you select a folder, it will ask for username / password and foldername. Check the following snapshot.
Select the checkbox “Password protect this directory” and also provide a name for protected directory. The directory name that you provide here will be used in the password prompt dialog box when user tries to access this folder.
And that’s it. All you have to do is to try accessing the secure folder from internet. As soon as the secure folder is requested, user will be asked to enter username/password. If user is successfully authenticated the content will be served. Otherwise an Unauthorized error (401) is generated.
The above method that we used to protect any webpage using CPanel’s Password Protect Directories option uses Apache’s Basic authentication mechanism. Behind the scene it generates 2 files, first one a password file which stores the username/encrypted password pairs for all authorized users and second file is .htaccess file which contains the rule for authentication, the path to the password file and other details.
2. Manual Way
As mentioned earlier the above (Easy and Automated) method generates the password file and rules in the htaccess file which set the authentication mechanism on the folder. Let us see the manual way of doing this. The advantage is that things are clear and you know exactly what is going on in the background. You also get some additional functionality such as password protecting single or multiple files.
There are two things we need to do here.
- Generate the password file
- Add authentication rules in htaccess file
1. Generate the password file
All the username/passwords that we need to give access to the folder goes in a file. The format of this file is simple, you have
The trick here is to generate the encrypted passwords for this file. Fortunately we lot of online tools that can be used to generate these encrypted values. Use any of the below tools to generate your encrypted passwords.
Save the username/password in file .htpasswd. We need to protect this file so keep it anywhere but not in public_html or web root. Most of the hosting providers a folder .htpasswds under your user home directory. Store the file .htpasswd in .htpasswds folder. If you dont have this folder then you can store the file anywhere. The apache mostly restricts the direct access to files starting with .ht. So feel free to put the file at location of your choice.
For this example lets assume the location of password file is: /home/username/.htpasswds/.htpasswd
2. Add authentication rules in htaccess file
Now as we have created the password file, let us add the htaccess rules for authentication the htaccess file.
Open the .htaccess file inside the folder that you want to protect with password. Create one if not already exists. Copy following code into it.
Change the AuthName to anything you like to be shown in password dialog box when this folder is accessed. Also change the AuthUserFile to the full path of password file that we created in step 1.
And that’s it. Try to access the folder from internet and apache will prompt you for username/password. If successfully authenticated, user will be served with appropriate content.
Protecting a single file
To password protect just a single file in a folder, use the following .htaccess file:
AuthUserFile /home/username/.htpasswds/.htpasswd AuthType Basic AuthName "My Secret Page" <Files "mypage.html"> Require valid-user </Files>
This will password protect just the mypage.html file in the folder where you put the .htaccess file.
Protecting multiple files
To password protect more than one file in the same folder, just create more
blocks within the same .htaccess file – for example:
AuthUserFile /home/username/.htpasswds/.htpasswd AuthType Basic AuthName "My Secret Page" <Files "mypage.html"> Require valid-user </Files> <Files "mysecondpage.html"> Require valid-user </Files>
Disabling password protection for localhost
You may have setup a website in production and a development environment on your localhost. While it is desirable to have password protection for production version, but at same time it is very annoying if on localhost (dev environment) it keeps on asking for password everytime. Add following rule in your .htaccess file and the server will never ask for password if you are running the website on localhost.
For more info: http://httpd.apache.org/docs/2.0/mod/core.html#satisfy
Disabling password protection for subfolder
It may happen that sometime we have a requirement where to add password protection to a folder but not for a particuler subfolder.
– /mysecret/* should be protected by password
– /mysecret/mypublic/* should be open to all
This can be achieved by creating a new .htaccess file in subfolder (mypublic) and add following line into it.
I hope things are clear from above tutorial. If you think you have a better way of doing this, share your experiences :)