Learning Movable Type: Password Protecting Your Blog with .htaccess


One way to set up a private, password-protected weblog is by adding a .htaccess file to the directory in which the weblog resides. htaccess files can give you extra control over your server, allowing you to password protect directories, enable server side includes, generate custom error messages, and block users by IP address among other things. I've already described the fundamentals of .htaccess in another tutorial, see What is .htaccess? If you are setting up .htaccess for the first time, be sure to read this tutorial thoroughly.

1. Create .htpasswd

The first thing you need to do, before creating your .htaccess file, is to create a file called .htpasswd, which will hold the user names and passwords of those you to whom you are giving access to your private weblog. You will need to encrypt the passwords. It has been recommended by a commenter here that you not use a web-based password generator site for security reasons. The same commenter notes that if you have root access to your server, SSH to it, change to the directory you wish to create the .htpasswd in and type "htpasswd -bc .htpasswd username password" (without the quotes; replacing username with your username and password with your desired password). The "c" mean "create a new file" and the "b" means "use the password given in the command line (rather than prompting for it)". If you do not have access to your server, it is suggested that you have your server admin do this for you.

For example, the name "bartlett" and password "westwing" would look like this, encrypted and ready to be placed on your .htpasswd file: bartlett:09ArhAKMeRSE6

Create the strings of user names and passwords for those to whom you will give access to your private blog.

Copy and paste these into a text editor, one line for each name:password. Save the file to your desktop; note that you probably will not be able to save it with the (.) in front of htaccess. That's okay, make the change when you upload the file to your server with FTP.

2. Upload .htpasswd to your server

For security, you should upload this file into a secure place on your server, above your root directory, not in your public_html directory, not in a directory that is accessible by the web. Upload the file as ASCII text. Make a note of the path to the file.

3. Create your .htaccess file

I have found two similar sets of .htaccesss code for password protection and they both work on my server. I'll list them here, but check with your webhost first. If they allow .htaccess, they may very well have a tutorial about how to use it on their servers.

One code method:

AuthUserFile /usr/local/you/safedir/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require valid-user

The first line, containing the directive AuthUserFile, is the full server path to your .htpasswd file. Use the path that will work with your server set-up to get to where you placed your password file. (Note path, not URL.) Note that .htaccess will not work if there are extra spaces after AuthUserFile. There is only one space after AuthUserFile before the path.

The second directive, AuthGroupFile, points to a list of user groups for user authentication. Since we're not doing that, it is set to /dev/null.

According to the Apache organization documentation, The third line, AuthName,

sets the name of the authorization realm for a directory. This realm is given to the client so that the user knows which username and password to send. AuthName takes a single argument; if the realm name contains spaces, it must be enclosed in quotation marks.

Basically, you can put pretty much any word next to "AuthName", such as EnterPassword.

AuthType sets the type of user authentication for a directory. In our case, that is Basic

require valid-user allows all users who you have specified in your .htpasswd file to have access to the contents of the directory.

Second code method:

AuthUserFile /home/local/you/safedir/.htpasswd
AuthName EnterPassword
AuthType Basic
<Limit GET>
require valid-user
</Limit>

This second set up was what was recommended at my webhost. I don't know what the <Limit GET> and </Limit> do (perhaps someone can enlighten me?) but this worked as well as the first method. Like I mentioned before, check with your webhost first to see if they have a preferred method.

(Note that there are different variations on how you can set this up. If you want different private directories, all with different users having access, you can do that too. A web search for .htaccess will yield many tutorials.)

Use a text editor to create this file, and save it as htaccess. You will change it to .htaccess when you upload it to your server.

4. Upload your .htaccess file

The directory into which you upload this .htaccess file will become password protected. So, if you upload this .htaccess into the top level of your public_html directory, your entire website will be password protected. If you want to password protect only one weblog, and not your whole site, upload the file into the directory in which you would find the index.html or index.php of that weblog. For example, if I wanted to password protect Learning Movable Type, I would load the .htaccess file into: home/public_html/mt/. If you already have an existing .htaccess file in this directory, you can add the lines of text described here to your existing file. They just need to start on a new line.

Make sure that you include the (.) before htaccess when you are loading the file, or change the name of the file to include the dot after it has already loaded. On some FTP programs that may require setting the -a parameter to display the hidden files. You may also need to set the file's permission to 644.

Note that I've already explained that .htaccess is a powerful file. Make sure you understand it before you attempt to use it. I take no responsibility for what may result on your server by following the aforementioned instructions. My advice? Make friends with someone in tech support at your webhost.

Links:
MT Protect plugin - allows you to password protect an individual entry, or to restrict access to an entry to specific individuals based on their Typekey identity. From Movalog.
Htaccess and Dynamic Publishing
What is .htaccess?
Comprehensive Guide to .htaccess
Apache Tutorial: .htaccess files
htpassword: How does it work?
Password Protect Your Blog - Adam Kalsey's php script for limiting the viewing of an MT blog to MT blog authors.


Posted by Elise Bauer on September 18, 2004 8:50 PM to Learning Movable Type http://www.learningmovabletype.com/