digitalFAQ.com Forum

digitalFAQ.com Forum (https://www.digitalfaq.com/forum/)
-   Website and Server Troubleshooting (https://www.digitalfaq.com/forum/web-tech/)
-   -   How to password protect a folder with .htaccess/.htpasswd (https://www.digitalfaq.com/forum/web-tech/2493-how-password-protect.html)

kpmedia 10-18-2010 04:41 AM
How to password protect a folder with .htaccess/.htpasswd
 
Protecting a folder on your web hosting server is usually very easy. Most control panels, such as cPanel and Plesk**, have obvious password protection options in the web browser based GUI.

But if you're on an Apache based server (be it running on Linux, Windows, or otherwise), you can simply add an .htaccess file into that folder and place an .htpasswd file at the specified location.

Add this to your new or existing .htaccess file, in the folder that needs protecting:
PHP Code:
AuthName "Protected Folder"
AuthType Basic
AuthUserFile /home/httpd/vhosts/yourdomain.com/subdomains/yoursubdomain/httpdocs/.htpasswd
Require valid-user 
This line must be accurate...
Code:
AuthUserFile /home/httpd/vhosts/yourdomain.com/subdomains/yoursubdomain/httpdocs/.htpasswd
... otherwise you won't be able to authenticate, therefore being locked out of that folder via a web browser.

If you're not 100% sure what your folder's full path is, simply create a PHP file and place it in that folder. (Before saving changes to the .htaccess, of course, otherwise you're going to be locked out of it!). See those instructions at: How to find the full path to your server directory, using a PHP file

Then create your .htpasswd file. The file essentially looks like this:
Code:
username:password
... and that's all that is in the file. However, the password is not plain text, it's been hashed with MD5.
So the file needs to be properly "encrypted" and will look more like this:
Code:
username:$apr1$OCifD/..$zZrHP8ynh75.DwzNhfeAm0
To create a hashed version, use the .htpasswd generator found here: http://www.htaccesstools.com/htpasswd-generator/

For added security, this Apache password file can be located outside of the public accessible folders, assuming you have access to non-public levels. Many shared hosts will prevent you from putting files closer to root, essentially jailing you to httpdocs/htdocs public folders. In Plesk, there's the "private" folder for such things to exist, even with shared hosting. For example:
Code:
vhosts/domain.com/httpdocs
vhosts/domain.com/private
How much access you have depends on your server. For VPS (virtual private servers) and dedicated setups, you can do pretty much anything you want.

.htaccess should, of course, be enabled on the Apache server.

It should also be mentioned that this does NOT work on IIS Mod-Rewrite ISAPI filters for Windows. Simply use Windows protection on IIS, either directly via the OS control panel, or through your third-party panel like Plesk 8 or Plesk 9.

Quote:
** Plesk Problems with Protecting Folders on Subdomains:

Note that the password protection option in the Plesk GUI does not work for folders in the subdomains, on Apache, when the subdomains have been attached or (nested under) primary domains. By "attached" I mean "domain.com" has only one entry in Plesk, and you've added/attached the subdomain underneath domain.com, using the subdomains option for domain.com.

You must use this manual .htaccess/.htpasswd "trick" to password protect your folders on the nested sub domains.

The workaround for being able to easily add password protection to subdomains in Plesk is to treat it like a full domain, instead of nesting it underneath the main domain.com domain. Of course, on many limited licenses, this is not an option, because it would count as two separate domains on the server, for the purpose of license usage.
Now go protect your stuff! :cool:


All times are GMT -5. The time now is 11:40 PM

Site design, images and content © 2002-2024 The Digital FAQ, www.digitalFAQ.com
Forum Software by vBulletin · Copyright © 2024 Jelsoft Enterprises Ltd.