Password protection is probably the most used function of the .htaccess file aside from custom error pages. Setting up a password-protected directory is a little more elaborate than what we have seen thus far but is certainly feasible by anyone with a little willingness to learn.
The .htaccess method of password protecting a directory uses another file, called .htpasswd. This stores the username of the user along with the encrypted password of that user. Each time the user attempts to access a file within a protected area, the username and password the user inputs is checked against the .htpasswd file for authentication.
First, we need to create the .htpasswd file. Normally, you need access to the Unix machine to create this file with the following htpasswd utility:
htpasswd -c /home/user/names steve
The above line of code creates the file 'names' (with the -c flag) and creates the username of steve. The system will then ask for a password twice. However, since some web-hosting providers do not allow clients the ability to access the machine, we need another method for creating this file.
I found a neat utility online useful for encrypting the password for a user. Simply click here and enter the desired username. Then, enter the password twice and click the 'calculate' button. You should come back with something like this (given the username of steve):
Copy and paste that entire line into a blank text file and name it .htpasswd. Each time you wish to create another user, simply use the same web site and copy and paste the new username and encrypted password to the next available line in your .htpasswd file.
Next, upload this document to your account. If you can, upload this file to a directory above that of your root web directory. For example, if your root directory was /home/user/public_html, then the directory above it would be user. This makes this file completely inaccessible by the general Internet public, which is a very good thing. Remember to upload this document in ASCII and not binary.
Our next step is to create (or amend) the .htaccess file. Open or create the file and include this within it:
Notice that we have specified the location of the .htpasswd file as /home/user/.htpasswd. Be sure the path is correct to the .htpasswd document on the system. We will not be using a Group file, so we can input any directory. The AuthName directive is what will be displayed in the popup dialog box that asks for the username and password to access a protected directory.
Also notice require valid-user. This means that any username within the .htpasswd file can be checked and validated. If, for example, we only wanted to allow particular users access, we could use something like:
require user username1 username2 username3 username4
That is all there is to it to create a password protected directory! Be aware that if you place this file within your root directory, your entire web site will be password protected, which may or may not be what you intended.