Home > Web hosting - Linux. > Password-protecting web pages, using .htaccess, on the linux web hosting platform

Password-protecting web pages, using .htaccess, on the linux web hosting platform

Most of the time, if Pulsant hosts your website, you want the whole world to be able to see it in all its glory. However, there may be occasions where you want to prevent the world at large from accessing certain pages, such as a page just for a certain client or a company intranet only for employees.

For websites hosted on our Apache (UNIX) webserver it is possible for you to protect areas of your website yourself in two simple steps. NB To follow these instructions, you require shell access to your Pulsant account. If you do not have this or would like to know more about it,take a look at our shell server FAQ.

Step 1: Creating an access list

For any website to which you want to restrict access, you need to have a list of users who are allowed access to parts of the site. You can do this by creating a password file. It goes without saying that this file should be protected from prying eyes, so a good place to put it is in your home directory.

If you do not already have an .htaccess password file, type the following command at the shell prompt:

htpasswd -c /home/<accountname>/<passwordfile> <username>

where <accountname> is your Pulsant account name, <passwordfile> is the name of the password file you’re creating, and <username> is the name of the user for whom you’re adding the password. You will then be prompted for a password for that username.

NB if you have already created a password file and are just adding more users then use the above command without the -c option.

Please note that standard password encryption methods can only encrypt up to 8 characters, so while you can use a password longer than 8 characters, the remainder of the characters will be ignored.

Please refer to the shell command “man htpasswd” for more information.

Step 2: Locking a directory

The way to prevent unauthorised access to web pages is to keep them in a locked sub-directory of your public_html directory. To lock a sub-directory, you need to create a file in that directory called .htaccess. Below is a bare-bones, working .htaccess file which may be copied and pasted into a text editor:

AuthName “Realm”
AuthType Basic
AuthGroupFile /dev/null
AuthUserFile /home/<accountname>/<passwordfile>
require valid-user

where Realm (which should be in quotes) is a label which appears in the password protection dialog box for the directory you’re protecting, <accountname> is your Pulsant account name, and <passwordfile> is the name of your .htaccess password file from Step 1.

NB the line require valid-user will allow anyone in the password file access to the protected directory. If you wish to allow only certain specific people from the password list into a directory, you can achieve this by replacing the line with:

require user user1 user2 user3. . .

for as many users as you wish to allow. This is most useful if you wish to protect more than one directory, each with different users, but wish to maintain only one password file.

After the file is created in the directory, you will not see it because it is hidden from normal view of the ls command. To see hidden files, you must use ls -a.

Finally you need to type the following command, at the shell prompt, in the directory containing the .htaccess file:

chmod 644 .htaccess

Once this is done, your directory and any web pages in it are protected.