How-To

How to Password Protect an Apache Website using .htaccess

Websites running Apache can add a layer of security by requiring a password to access the site. This is done by adding a few lines to the .htaccess— filesecure lockdown the password If you’re running your Website with Apache, securing the site with a password is a simple process. I recently ran through the process on a Windows box (Majority of the shots below); however, the steps are pretty much the same for Windows or Linux Apache sites.

How to Secure Apache with a Password

All the work will be done using your .htaccess file. You can find this file at the root of your Apache Websites. The .htaccess file is checked by Apache before displaying web pages. Typically, it’s used for ReWrites or ReDirects; however, you can also use it to leverage the built-in security features of Apache.

image

 

Edit your .htaccess File

Step 1 – Add the following lines to your .htaccess file. Below is a sample .htaccess file. Your file will defer based on where you place the .htpasswd file.

AuthUserFile /full/path/to/.htpasswd
AuthName "Please Enter User & PW"
AuthType Basic
Require valid-user

What do These Commands Mean?

AuthUserFile

  • APACHE needs the location of the User/Password file. Just enter the full path to your password file, as shown above.

AuthName

  • This field defines the Title and Text for the popup box, which will be requesting the Username and PW. You can make this ANYTHING you want. Here’s an example on my test box:

image

AuthType

  • This field tells Apache what type of authentication is being used. “Basic” is usually fine (and the most common.)

Require valid-user

  • This last command tells Apache what accounts are allowed to log in. By using “valid-user,” you are telling Apache ANYONE is allowed to authenticate if they have a valid username and password inside the .htpasswd file you will create shortly.

If you prefer to be more EXACT, you can specify a specific USER or USER. This command would look like:

Require user mrgroove groovyguest

In this case, only the users, mrgroove, and groovyguest, would be allowed to enter the page/directory you’re protecting (after providing the correct username and password, of course). All other users (including valid ones) will be denied access. If you want to allow more users, just separate them with spaces.

So, now that we have all the config settings made, here’s what your finished .htaccess file should look like:

The screenshot is taken from a Windows Server running WordPress. The path is different than a typical Linux host.

groovyPost .htaccess

Create the .htpasswd file and Encrypted Username and Password

Creating the .htpasswd file is a simple process. The file is nothing more than a text file containing a list of Users and their encrypted passwords. Each User string should be separated into its lines. Personally, I just use notepad++ or Windows Notepad to create the file.

Shot below is an example .htpasswd file with two users:

image

Although Apache doesn’t “require” you to encrypt the passwords, it’s a simple process for both Windows and Linux Systems. For example, for Windows users, you can run  C:\Program Files\Apache Group\Apache2bin\htpasswd.exe to generate an MD5 encrypted Username/Password string. To learn more about this, you can run htpasswd.exe /?

In almost all cases, however, just execute the following command:

htpasswd -nb username password

Once the command is executed, the htpasswd.exe tool will output the User string with its encrypted password. Here is an example of executing the htpasswd.exe tool on the Windows Server.

image

Once you have the User String, copy it into your .htpasswd file.

Verify mod_auth Module is Enabled

By default, Apache has the correct Modules enabled. That being said, it never hurts to be a little proactive, plus it’s a quick “check.”

Open your Apache httpd.conf file and verify the AUTH module is enabled:

image

If you find the module isn’t enabled, just correct it as shown above. Don’t forget you need to restart Apache for changes to your httpd.conf to take effect.

8 Comments

8 Comments

  1. Tony

    August 29, 2007 at 9:54 pm

    Great read. I was looking for the info on creating the crypto for Apache for Windows.

  2. prasanna

    October 24, 2007 at 5:46 am

    Mr Groove . Is it possible to catch a plain password before it passed to .htpasswd file for verification. If so, Please letme know about it. I need in my project

    Thanq for posting a good and valid information

  3. MrGroove

    October 25, 2007 at 8:19 am

    Welcome to the site Prasanna,

    I’ll do some digging but off-hand, I don’t have a solution for capturing the password being passed to Apache for Authentication. I’ll keep an eye out. Perhaps someone in the community can assist. Feel free to also post the question in the Forum

  4. lt

    February 17, 2008 at 7:03 pm

    Does anyone know how to get this to work on Vista? I had everything working fine on my XP machine but now I can’t get the password protection to work. All my pages/files are not password protected. When running the htpasswd from the command line I get the Vista security window popup (after I changed the Priviledge Level to Admin) but it doesn’t modify or create the password file.

  5. jignesh

    April 6, 2011 at 2:58 pm

    1) Does .htaccess create password protection for directory or for individual files ?
    Can we password protect individual files ? I mean, if there are files in different directories, do I need to create .htaccess in all these directories ? Now how does it work, if I want only few files in a directory as password protected and the other files I dont want password protected ? Do Ihave to keep all password protected files in dir in which I have .htaccess and the rest files in other directories. Is this the only way ?
    2) If I want more than one directory password protected, do I have to create .htaccess in all the directoriess which I want password protected ?
    3) If I have created .htaccess in one dir and there are sub dir in this dir, do all these sub dir also become password protcted ? Or do I need to create seperate .htaccess files for these sub dir ?

  6. jignesh

    April 6, 2011 at 3:02 pm

    “AuthUserFile c:apachesecurity.htpasswd”
    Is it not required to place “\” in the path ?
    Full Path is C:\apache\security\.htpasswd. Do we not need \ in the path ?
    Thanks

  7. Steve

    February 8, 2012 at 6:24 am

    how to generate log for who (user name), when (Date/time) & from where (IP Address) protected directory/file are attempt to access?

    Please help me.

    Thank you,

    Steve.

  8. Lisa van den Brink

    April 2, 2012 at 8:31 am

    How to password protect a research website on the Apache Server from a Mac operating system. Can it be done the same way?What do I need to do?

    Thank you

To Top