How to Password Protect websites using .htaccess

This is a very basic tutorial on how to password protect a directory on an Apache webserver. In this example I will protect a directory on your own OS X installation.

You will need to have web sharing enabled in System Preferences -> Sharing

Part 1, Creating this necessary files.

First of all copy and paste the following code into a text editor.

AuthUserFile /Library/Webserver/.htpasswd
AuthName "Enter username and password"
AuthType Basic
<Limit>
require valid-user
</Limit>


You will want to save this on your local machine as .htaccess.

Next start up Terminal and type the following command:

htpasswd -c .htpasswd admin


You should be presented with a 'New Password:' prompt. Enter your password, press return and repeat to confirm.

This will create a file called .htpasswd in your home directory.

Part 2, Uploading files to your host.

We need to upload/move both files to the webserver. The .htaccess file needs to go into the directory which needs to be protected. The .htpasswd file should be uploaded, preferably outside the webroot.

What does the above paragraph mean in practice ?

On your local Mac you would place the files like this:
/Library/Webserver/.htpasswd
/Library/Webserver/Documents/my_secret_stuff/.htaccess

On a typical Linux/FreeBSD web host:
When you start up your (S)FTP program, and connect to your webhost, you will probably be placed into your home directory on the server. The HTML files of yor site will normally go in a directory called 'public_html', 'mainwebsite_html' or 'webroot'. If you have directory under this called, for example, 'my_secret_stuff', which you wanted to protect you would take the followng steps:

Upload htaccess file from your local computer to the folder 'my_secret_stuff'. The file may disappear. On a Unix machine any filename starting with '.' is hidden from normal view. Just go to your FTP preference and enable 'Show hidden files'.

Next upload the .htpasswd file to your home directory. This should be 'outside' your webroot, and not be visible to web browsers.

Part 3, What is actually happening.

When Apache is asked to serve a file in your protected directory it receives a request like this:

http://www.mydomain.com/my_secret_stuff/

Apache then looks in the folder:
/Library/Webserver/Documents/my_secret_stuff/

Here it finds the file .htaccess which it reads everytime access is made to any file in this directory, or any of it's sub directories. The first line if this file tells it to read the password file 'AuthUserFile /Library/Webserver/.htpasswd'.

The content of your .htpasswd file should look something like this:
admin:2EKoQTgCtdT2A

What happens now is that Apache will bring up a Username/Password dialogue box. If you look in the .htaccess file you will see the line, 'require valid-user'. This means that it requires a username which can be found in the .htpasswd file. In this case 'admin'.

Part 4, Adding more usernames

If you would like to have several usernames you can add more to the htpasswd file with the following command:

htpasswd .htpasswd william

If we leave out the -c switch, it will append to the htpasswd file rather than overwrite it.

This is a very brief introduction to password protecting a directory, for a more detailed look see the official Apache docs