How To Password Protect Your Site

Password protecting your web site, or part of the site.

The easiest way is to use the .htaccess method. This involves two files, a file called .htaccess (the full stop is important at the start of that file name) and .htpasswd (although this one can in fact be called anything you like)

Both these files are plain text files, which can be created in any text editor, although the password file .htpasswd is created by the server, so you don't have to worry too much about it.

Note, Frontpage users will find that this .htaccess method conflicts with the existing server extensions on their accounts and should be aware that using frontpage to edit the content of a protected directory may well cause the password system to fail.

The .htaccess file contains information which tells the server, where clear your password file is, what to block/allow in the directory concerned, and who can have permissions to view pages or run scripts in the directory. The .htaccess file is placed in the directory you wish to protect, and all files and subdirectories within this directory will be protected.

OK, that's the overview, now for a specific example...for best results we will assume you know how to ssh into your shell account using your login and password.

In this example, you will create a subdirectory called 'secret' and any pages within this directory will be password protected.

The directory 'secret' will be created inside your public_html directory. This way pages within this directory will be referenced on the web with the address

Using FTP or ssh create the secret directory inside your public_html directory:

you@proton:/usr/home/you> cd public_html 
you@proton:/usr/home/you/public_html> mkdir secret
you@proton:/usr/home/you/public_html> cd secret

Next create your .htaccess file. You can do this via ssh using a text editor such as jpico or you can create it on your own computer and FTP it to the server into your secret directory. NOTE make sure you upload in ASCII mode if you use FTP.

The .htaccess file should contain the following 8 lines:

AuthUserFile /home/yourname/.htpasswd
AuthGroupFile /dev/null
AuthName "My Secret Area"
AuthType Basic

<Limit GET POST>
require valid-user

The first line relates to the password file, which we will create in a moment. It is the full Unix path and name of the password file. You can put this file anywhere in your home directory, and call it anything you like, but it is recommended that this file is NOT inside your public_html directory, so that there is no chance of an outside user being able to view the file. In this example, you must change the word "yourname" to your account login username.

The second line is used if you wish to create different groups of users with varying accesses permissions. This is not covered in this quick tutorial, but more information can be found about .htaccess system at For the moment, leave this as it is, effectively, turned off.

The third line reflects the message displayed to people who are trying to authenticate via your web site. A pop up box will appear and this message will be displayed usually along the lines of "Please enter a username and password for <your message here>. Note that this message must be within double quotes on our server.

The fourth line should be left as type Basic, this is the only type of authentication supported by most browsers.

The fifth line is blank, for clarity.

The sixth line dictates what types of method will be protected with this password. POST and GET are the main types of http access, GET for every browser request to the server for pages to be displayed, and POST for posting web form data. You can also put PUT here, if you happen to be writing a script which allows file uploads, and wish these to be also protected via .htaccess. We recommend that you leave this line as it is for the moment.

The seventh line, says "require valid-user" this is a new feature of our web server which you may not see mentioned in other tutorials. Rather than having to specifiy each user in the .htaccess file that you wish to have access, you can basically say "if there is an entry for this user in the password file, then let them in here". This is the simplest and easiest way to do things.

The eight line closes the limit section. Leave this as it is.

As soon as this file is within your directory, your directory is protected. Even though the password file doesn't exist yet. Note that if you use 'ls' to list the files in ssh you won't see files which start with a full stop. you must use the -a flag to see "all" files. (ie. ls -a) Some FTP clients may not show files starting with full stops. If you have a problem creating your .htaccess file or uploading via FTP, you can always just call it htaccess without the full stop, transfer it over, and then use a ssh session to change the file name. Something like this:

you@proton:/usr/home/you> cd public_html 
you@proton:/usr/home/you/public_html> cd secret
you@proton:/usr/home/you/public_html/secret> mv htaccess .htaccess

OK now to create the password file. For this, you must really ssh into your web account. If you have no idea what ssh is or how to use it, you should probably read up on it.

You should be prompted for your username and password. Once this has been authenticated, you will be at a prompt, where you can type in commands. Each command is activated once you press the Enter or Return key on your keyboard.

We shall create the password file for the above example now, and create a user john with a password Qa2399m Remember that usernames and passwords ARE case sensitive.

Telnet into your account and type the following command at the prompt:

you@proton:/usr/home/you> htpasswd -c .htpasswd john 
Adding password for john.
New password:
Re-type new password:

This creates a new file in your home directory called .htpasswd (you can call this anything you like, but it must be the same as you called it in your .htaccess file) NOTE the passwords will not be displayed on the screen when you type them. This is a security feature.

That's IT! you've created a password protected directory called secret which the user john using the password you chose, can only access. Place an HTML file in your secret directory called for example test.html and see what happens when you try to view it on your web browser with the address

To add another user, don't use the -c flag, this was only used once when you created the password file. now it is even easier. Telnet in and add another user called mike:

you@proton:/usr/home/you> htpasswd .htpasswd mike 
Adding password for john.
New password:
Re-type new password:


The process to change an existing user is identical. If the user already exists, then you will be prompted for the old password and then the new password twice.

The .htpasswd file is a plain text file, but the passwords are stored in an encrypted fashion. You can actually use a scripting clear language such as perl to edit and create this password file. Perl has a crypt function to create the necessary crypted password. The format of the file is simply one user per line, username:cryptpass

We also support the mod_auth_mysql functionality which allows you to hold your password and username information within a MySQL database. We will not cover how to do this right now, but if you are feeling like having a go at this, the best place to start is:

Finally, once you have the password system up and running, you may wish to have a customised error page, should the user fail after 3 attempts to login in successfully. Normally a default "Authorization clear Required" message is displayed, but you might like to customise this so that a more friendly message is displayed or, perhaps a less friendly one ;-) To do this create a file called 401.html and place it in your public_html directory. This page will be used instead of the standard page. You should use complete URL's to any images in the HTML of this page, and not rely on relative paths, since the 401.html page can be viewed from any directory. NOTE you will also have to email to ask us to activate this feature for you, there is of course no charge.