Password Protection with htaccess

Introduction

It is always a good idea to add password protection to any of the folders/webpages of your website if you want to restrict access on them. The method for applying the same is more important. We can use PHP for authorizing the information on each page, but that doesn’t protect your images or any other media, does it? So we can use another method known as htaccess password protection or htaccess authentication. It is reliable and much easier.

Objective

This blog help you know about how to restrict the access to the website from unauthorized users.

Please follow the steps mentioned below:

Step 1. To use htaccess password protection we need to create two files in the directory in which you want to restrict access:-

1) .htaccess file
2) .htpasswd file

Step 2. Add the following code in .htaccess file that you have created in step 1.

The .htaccess Code

AuthType Basic
AuthName"No Access"
AuthUserFile C:/wamp64/www/test_project/self_stitch/.htpasswd
require valid-user

Note: You can replace “C:/wamp64/www/test_project/” with your own directory structure.

The above code (directives) is described below:

i.) AuthType

From AuthType directive you can select the method that is used to authenticate the user.

ii.) AuthName

Replace “No Access” to any name as per your requirement. This name will be displayed in the alert box, when the user attempts to open a htaccess protected page.

The AuthName directive sets the domain to be used in the authentication.

Once a client has passed the authentication in the “No Access” zone, then there is no need to enter the password to access any other file in the same zone on the same server. Therefore, to prevent a user from entering the password again and again by letting multiple restricted areas to share the same domain.

iii.) AuthUserFile

  • You need to add your .htpasswd path in place of “C:/wamp64/www/test_project/self_stitch/.htpasswd”.
  • The “AuthUserFile” value is always specific to your host configuration.
  • If you don’t know what the value should be, do a phpinfo() and check the DOCUMENT_ROOT value.
  • For this you just need to add the line “<?php phpinfo(); ?>” in phpinfo.php file. You can find phpinfo.php file at your root folder (www for localhost) and then run the phpinfo.php file on the browser. For Example, on localhost, run localhost/phpinfo.php

NOTE:

1. To password protect more than one file in the same folder, just create more <Files></Files> blocks within the same .htaccess file – for example:

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "My Secret Page"

<Files "mypage.html">
Require valid-user
</Files>

<Files "myotherpage.html">
Require valid-user
</Files>

2. To Allow only the specific types of files to be accessed by the users, you need to add the following code:

AuthUserFile /full/path/to/.htpasswd
AuthType Basic
AuthName "My Secret Page"

# deny *everything*
<FilesMatch ".*">
Order Allow,Deny
Deny from all
</FilesMatch>

# Allowing just *certain* necessary files:
<FilesMatch ".*\.(php|html|css|js|JS|CSS)$">
Order Allow,Deny
Allow from all
</FilesMatch>

Here, first we are restricting access to everything using <FilesMatch “.*”> and after that we are allowing only certain files (php, html,css,js) to be accessed using <FilesMatch “.*\.(php|html|css|js|JS|CSS)$”>

Our example does not allow access to other files for eg. .jpg, .png, etc.
You can also allow access from a specific IP address using “allow from 12.34.56.78” instead of using “allow from all“.

3. To add htaccess password for only the specific types of files you need to add the following code:

AuthType Basic
AuthName "restricted area"
AuthUserFile C:/wamp64/www/test_project/self_stitch/.htpasswd

# but now allow just *certain* necessary files:
<FilesMatch ".*\.(txt)$">
require valid-user
</FilesMatch>

Using the above code all the files will be accessed without a password but the files with extension .txt will need username and password to be accessed.

4. If you need to apply htaccess password for all the files except one than add the folllowing code:

AuthType Basic
AuthName "restricted area"
AuthUserFile C:/wamp64/www/test_project/self_stitch/.htpasswd

<FilesMatch ".*">
Require valid-user
</FilesMatch>

# but now allow just *certain* necessary files:
<FilesMatch ".*\.(txt)$">
Require all granted
</FilesMatch>

In the above example, except .txt files all the other files will need the username and password to be accessed.

iv.) require

The line “require valid-user” means that any user specified in your .htpasswd (ie, password) file will be able to access your website.

If your password file contains many users, but you only want specific users (Like John and Pamela) to be able to access the website then, change the “require valid-user” to:
“require user John Pamela”
Step 3. Add the username and password in .htpasswd file as described below:

The .htpasswd Code

john:$apr1$DObQIej5$0ZmEaLN42GEz/XJEiJXh9.

i.) The .htpasswd file contains the usernames and passwords of allowed users.

ii.) The passwords are encrypted using MD5 for security purposes.

iii.) As you can see above, only 1 user is allowed i.e. john with the password:

Actual password: egypt4721

Encrypted password: $apr1$DObQIej5$0ZmEaLN42GEz/XJEiJXh9.(encrypted using MD5).

iv.) To generate .htpasswd file use the link given below:

http://www.htaccesstools.com/htaccess-authentication/

After creating .htaccess and .htpasswd file in the directory you want to protect, an alert will be displayed when you open your website. Please refer to the screenshot below:

 

Password protection

Click Here to download a sample project with .htaccess password protected.

Aparajita Singh

Aparajita Singh is an experienced Software engineer in PHP. She also has knowledge of C, JAVA and database design. She has been working in the IT Industry from the last 1yr and still looking forward to achieving more in the IT industry. She lives in New Delhi and her hobby is to write the technical writeups.

Leave a Reply

Your email address will not be published. Required fields are marked *