« What is .htaccess? | Main | CocoaMySQL - MySQL Tool for Mac »

Password Protecting Your Blog with .htaccess

One way to set up a private, password-protected weblog is by adding a .htaccess file to the directory in which the weblog resides. htaccess files can give you extra control over your server, allowing you to password protect directories, enable server side includes, generate custom error messages, and block users by IP address among other things. I've already described the fundamentals of .htaccess in another tutorial, see What is .htaccess? If you are setting up .htaccess for the first time, be sure to read this tutorial thoroughly.

1. Create .htpasswd

The first thing you need to do, before creating your .htaccess file, is to create a file called .htpasswd, which will hold the user names and passwords of those you to whom you are giving access to your private weblog. You will need to encrypt the passwords. It has been recommended by a commenter here that you not use a web-based password generator site for security reasons. The same commenter notes that if you have root access to your server, SSH to it, change to the directory you wish to create the .htpasswd in and type "htpasswd -bc .htpasswd username password" (without the quotes; replacing username with your username and password with your desired password). The "c" mean "create a new file" and the "b" means "use the password given in the command line (rather than prompting for it)". If you do not have access to your server, it is suggested that you have your server admin do this for you.

For example, the name "bartlett" and password "westwing" would look like this, encrypted and ready to be placed on your .htpasswd file: bartlett:09ArhAKMeRSE6

Create the strings of user names and passwords for those to whom you will give access to your private blog.

Copy and paste these into a text editor, one line for each name:password. Save the file to your desktop; note that you probably will not be able to save it with the (.) in front of htaccess. That's okay, make the change when you upload the file to your server with FTP.

2. Upload .htpasswd to your server

For security, you should upload this file into a secure place on your server, above your root directory, not in your public_html directory, not in a directory that is accessible by the web. Upload the file as ASCII text. Make a note of the path to the file.

3. Create your .htaccess file

I have found two similar sets of .htaccesss code for password protection and they both work on my server. I'll list them here, but check with your webhost first. If they allow .htaccess, they may very well have a tutorial about how to use it on their servers.

One code method:

AuthUserFile /usr/local/you/safedir/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require valid-user

The first line, containing the directive AuthUserFile, is the full server path to your .htpasswd file. Use the path that will work with your server set-up to get to where you placed your password file. (Note path, not URL.) Note that .htaccess will not work if there are extra spaces after AuthUserFile. There is only one space after AuthUserFile before the path.

The second directive, AuthGroupFile, points to a list of user groups for user authentication. Since we're not doing that, it is set to /dev/null.

According to the Apache organization documentation, The third line, AuthName,

sets the name of the authorization realm for a directory. This realm is given to the client so that the user knows which username and password to send. AuthName takes a single argument; if the realm name contains spaces, it must be enclosed in quotation marks.

Basically, you can put pretty much any word next to "AuthName", such as EnterPassword.

AuthType sets the type of user authentication for a directory. In our case, that is Basic

require valid-user allows all users who you have specified in your .htpasswd file to have access to the contents of the directory.

Second code method:

AuthUserFile /home/local/you/safedir/.htpasswd
AuthName EnterPassword
AuthType Basic
<Limit GET>
require valid-user
</Limit>

This second set up was what was recommended at my webhost. I don't know what the <Limit GET> and </Limit> do (perhaps someone can enlighten me?) but this worked as well as the first method. Like I mentioned before, check with your webhost first to see if they have a preferred method.

(Note that there are different variations on how you can set this up. If you want different private directories, all with different users having access, you can do that too. A web search for .htaccess will yield many tutorials.)

Use a text editor to create this file, and save it as htaccess. You will change it to .htaccess when you upload it to your server.

4. Upload your .htaccess file

The directory into which you upload this .htaccess file will become password protected. So, if you upload this .htaccess into the top level of your public_html directory, your entire website will be password protected. If you want to password protect only one weblog, and not your whole site, upload the file into the directory in which you would find the index.html or index.php of that weblog. For example, if I wanted to password protect Learning Movable Type, I would load the .htaccess file into: home/public_html/mt/. If you already have an existing .htaccess file in this directory, you can add the lines of text described here to your existing file. They just need to start on a new line.

Make sure that you include the (.) before htaccess when you are loading the file, or change the name of the file to include the dot after it has already loaded. On some FTP programs that may require setting the -a parameter to display the hidden files. You may also need to set the file's permission to 644.

Note that I've already explained that .htaccess is a powerful file. Make sure you understand it before you attempt to use it. I take no responsibility for what may result on your server by following the aforementioned instructions. My advice? Make friends with someone in tech support at your webhost.

Links:

Comments (8)

mademoiselle a.:

This is for PP'ing a whole weblog -- but I suppose this would not work if I wanted only a single category [the ever so favourite "private", say] to be protected? In which event I'd have to design a "login" area that displays in the post instead of the actual text. Or something like that.

Just thinking...

Hi Mademoiselle, what I would do is have separate directories for each category and then just add a .htaccess to the category that you want to protect via FTP. You can create separate category directories through the naming convention - see http://www.elise.com/mt/archives/000286file_names_and_urls.php.

Dida:

Hi- This works great. Thnx Elise!

You can also use this method to protect a single file also. See this turotial: http://www.4webhelp.net/tutorials/misc/htaccess.php
Dida

Betty:

I'd be VERY careful using a password generation site. It's not a good idea to use an online form to enter both your username and a password for your server (data) et cetera. If the person running the site can track down (perhaps by IP...), then they may be able to use your username and password (that was entered into their online form).

Hi Betty,
What would you suggest as an alternative?

Betty:

Hi Elise,

I apologize for not providing an alternate, more secure means of making a .htpasswd file.

If you have root access to your server, SSH to it, change to the directory you wish to create the .htpasswd in and type "htpasswd -bc .htpasswd username password" (without the quotes; replacing username with your username and password with your desired password).

The "c" mean "create a new file" and the "b" means "use the password given in the command line (rather than prompting for it."

If you do not have access to your server, I suggest you have your server admin do this for you.

I highly recommend that you do not use a third-party web form or any other unknown source to do this.

Betty

Hello Betty,

So you are suggesting that the risks of using a web-based form for encrypting passwords outweighs the risk of using an unencrypted password file. Fair enough.

Please clarify something for me. The IP address that would show up as a statistic on the site that hosts a form has to do with the internet connection I use to access the Internet. My website files are hosted by a web hosting company that has no connection whatsoever to the IP address from my Internet connection. So, even if someone knew my IP address for my web-surfing Internet connection, how would they know my website?

Is this security issue more of a concern for people whose web-surfing computer and website server share the same IP address?

Betty:

Hi Elise,

Who said anything about using a non-encrypted password file?

The "htpasswd" command performs the actual creation of an encrypted .htpasswd file. [It is undoubtedly the same program that is being called from that server in europe where the cgi form is being called from.] The htpasswd way that I recommended above, is the actual way to create these encrypted password files. It is not some guy's website form that is the source for this. [By the way, there are 3 forms of encryption available with this command - one is set by default, the other two may be called by passing parameters...]

About the IP... It would be easier for someone to use your username and password (from that online form), if the IP that you are visiting from is the same as the IP of your server. However, there are ways to make the association. Let's say that you've posted to a blog, forum, or some other public place and have indicated what your domain name is, if someone can search on the IP used in that guy's web form, and find another instance of your IP in a public bbs (forum), or email header..., then they can read in the forum (or whatever) about where your blog/server/site is, and go to it and use your username and password.

That is probably clear as mud, I know. And, it is probably rare that it would happen.

I'm sure there are other ways to find out from your IP where you normally connect to...if someone really wants in.

The point is: as a general security precaution, it is not advisable to use some unknown person's web form to generate your password, especially when a username is also given.

Anyway, just my two cents.

Betty


Post a comment

(If you haven't left a comment here before, your comment may need to be approved before will appear on the entry. Thanks for waiting.)