How to Password Protect a Website or Directory

It's a good idea when you're building a test site to password protect it.

Other times, there are sections of one's website that needs to be restricted to certain users.

Since our platform of choice has a very granular set of permissions baked in that allow you not only to restrict a access to a directory or page, but can be extended to restrict access to individual page elements depending upon user role (and even down to the user, IP, and virtually anything imaginable) this blog is focused primarily on the importance of password protection during the web development process and more so... how to do it.

Protecting your development site is beneficial for several reasons. If you have some hot idea and don't want your competitors to see what you're doing its a great idea. It's also a great idea if you don't want a client to see their new site in a state of mid-development and get the wrong impression.

Along with the use of a robots.txt User-agent: * Disallow: / password protect also helps keep robots, spiders, hackers, and scrapers out.

How to Password Protect a Website

The first thing you'll need to do is stick this bit of code in your .htaccess file.

Your .htaccess file should be located in your website's root folder. If not, just make one using a text editor, stick the above code in, and dump it in the root. Note. the . before the htaccess makes the file invisible on some systems. If you're using ssh, you can see hidden files using this little command ls -a.

The part you need to pay attention to is this bit: /var/www/vhosts/.htpasswd

That's because you need to change it according you the structure of your server. That is, this is the path to where the password file is held, it tells the server to look in var/www/vhosts directory for the file .htpasswd and that's where it'll find the password.

It's a good idea to keep your password file in a directory that's outside of your website and with limited write and user permissions for security. You wouldn't want to hacker coming in and locking you out of your own site.

Having a password file is also great because you can use the same password across your sever if you want to.

If you haven't figured it out by now, you'll also need to create a password file and name it .htpasswd

Inside the file you put the username and password in this form: username:password replacing "username" and "password" with the actual username and password you want. It's a good idea to encrypt the password. The text in the file might look something like this:

That's about all there is to it!

My favorite password protection tool is located here: http://tools.dynamicdrive.com/password/ Good stuff.