Password Protect an Apache Website using .htaccess
Aug 9th, 2007 by MrGroove
If your running your Website with Apache, securing the site with a password is a simple process. I recently ran through the process on a Windows box (Majority of the shots below) however the steps are pretty much the same for Windows or Linux Apache sites.
Step 1 : Configure your .htaccess file
All the work will be done using your .htaccess file. You can find this file at the root of most Apache Websites.
Shot taken from a vanilla install of WordPress running on Windows 2003 Server:
The .htaccess file is checked by Apache prior to displaying web pages. Typically it’s used for ReWrites or ReDirects however you can also use it to leverage the built-in security features of Apache.
So, first step is to add a few parameters to the file. Below is a sample .htaccess file. (TIP: I use notepad++ to edit most PHP and related file)
AuthUserFile c:\apache\security\.htpasswd
AuthName “Please Enter User & PW”
AuthType Basic
require valid-user
Some Explanation:
AuthUserFile: APACHE needs the location of the User/Password file. Just enter the full path to your password database file as shown above. The example above is taken from my Windows box. If your running Linux, it would be something like: AuthUserFile /full/path/to/.htpasswd
AuthName: This field defines the Title and Text for the popup box which will be requesting the Username and PW. You can make this ANYTHING you want. Here’s an example on my test box:
Shot taken from a FireFox browser:
AuthType: This field tells apache what type of Authentication is being used. In almost all cases, “Basic” is just fine (and the most common).
Require valid-user: This last command lets Apache know WHO is allowed. By using “valid-user” you are telling Apache ANYONE is allowed to authenticate if they have a valid username and password.
If you prefer to be more EXACT, you can specify a specific USER or USERS. This command would look like:
Require user mrgroove groovyguest
In this case, only the users mrgroove and groovyguest would be allowed to enter the page/directory your protecting (after providing the correct username and password of course). All other users (including valid ones) will be denied access. If you want to allow more users, just separate them with spaces.
So, now that we have all the config settings made, here’s what your finished .htaccess file should look like:
Shot taken from a Windows 2003 Server box running WordPress:
Step 2 : Create the .htpasswd file
Creating the .htpasswd file is a simple process. The file is nothing more than a text file containing a list of Users and their encrypted passwords. Each User string should be separated onto its own line. Personally, I just use notepad++ or Windows Notepad to create the file.
Shot below is an example .htpasswd file with 2 users:
Although Apache doesn’t “require” you to encrypt the passwords, it’s a simple process for both Windows and Linux Systems.
Windows
Navigate to your Apache BIN folder (usually found at C:\Program Files\Apache Group\Apache2\bin) and execute the htpasswd.exe tool to generate an MD5 encrypted Username/Password string. You can also use the tool to create the .htpasswd file for you (whatever works…). For all the details, just execute the help switch from the command line (htpasswd.exe /?).
In almost all cases however, just execute the following command:
htpasswd -nb username password
Once the command is executed, the htpasswd.exe tool will output the User string with it’s encrypted password.
Shot below is an example of executing the htpasswd.exe tool on Windows 2003 Server
Once you have the User String, copy it into your .htpasswd file.
Linux:
Goto: http://railpix.railfan.net/pwdonly.html to create your User strings with encrypted passwords. Very simple process.
Step 3 : Verify Apache is configured properly *optional
By default, Apache has the correct Modules enabled. That being said, it never hurts to be a little proactive plus it’s a quick “check”.
Open your Apache httpd.conf file and verify the AUTH module is enabled:
If you find the module isn’t not enabled, just correct it as shown above. Don’t forget, you need to restart Apache for changes to your httpd.conf to take effect.
That should take care of it. All done.
Comments? Questions? Let me know.
Tags: apache, encryption, htaccess, security, windows
Visitor Options
Hey MrGroove groovy post! You article is very well organized and I don’t see how anyone could get confused you did such a great job explaining things.. Since you are running WordPress check out the AskApache Password Protect plugin which automatically adds password support to the /wp-admin/ directory on wordpress…. now I have to add Windows support!
@AskApache
Great read. I was looking for the info on creating the crypto for Apache for Windows.
Mr Groove . Is it possible to catch a plain password before it passed to .htpasswd file for verification. If so, Please letme know about it. I need in my project
Thanq for posting a good and valid information
Welcome to the site Prasanna,
I’ll do some digging but off-hand, I don’t have a solution for capturing the password being passed to Apache for Authentication. I’ll keep an eye out. Perhaps someone in the community can assist. Feel free to also post the question in the Forum
Does anyone know how to get this to work on Vista? I had everything working fine on my XP machine but now I can’t get the password protection to work. All my pages/files are not password protected. When running the htpasswd from the command line I get the Vista security window popup (after I changed the Priviledge Level to Admin) but it doesn’t modify or create the password file.