Directory protection using .htaccess
One of the more common/popular uses of .htaccess is to password protect specific directories using basic HTTP authentication. Using .htaccess to setup directory protection is a method by which one can limit access to specific content on your web site only to users to whom you assign a username and password to login. This can be used to setup "members only" areas, fee based subscription content or to restrict access to administrative content to you personally.
Setting up directory protection involves the creation of two files, a .htaccess file stored within the directory (or the top folder in a directory tree you wish to password protect) and a second file commonly named .htpasswd in which the actual usernames and passwords are stored.
Note: As with several of the .htaccess features we are discussing in this FAQ topic area there is a convenient utility available within your HostRocket control panel which is designed to automate the setting up of password protected folders. We recommend that customers check out the "Directory Protection" section in their control panel for an easy method of setting this up which doesn't involve or require any manual editing or creation of .htaccess/.htpasswd files.
Creating the .htaccess file
Create a .htaccess file within the directory you wish to password protect containing code similar to the following:
AuthName "Members Only Area"
- The first and last lines are standard and should be used as-is
- On the AuthName line one can use any text they wish to appear on
the login dialog users see when they are prompted for their username
- The AuthUserFile line must include the correct server path to your .htpasswd file. For security reasons it is recommended that one store the .htpassword file somewhere in their root username directory above public_html where it cannot be accessed from the web. In the example above the .htpasswd file has been placed in a folder named "pwl" in the /home/hruser directory (the topmost directory seen when you login to your HostRocket account via the File Manager or FTP
Creating the .htpasswd file
The .htpasswd file which like .htaccess is just an ASCII (plain text) file contains a list of the users who are allowed to access your password protected directory and their assigned passwords. An example .htaccess file would be as follows:
As you can see the passwords are encrypted. The actual logins represented in the example above are:
username: John - password: dog
username: Mary - password: cat
username: Bob - password: bird
username: Neal - password: fish
As far as encrypting your passwords there are numerous .htaccess password generators publicly posted online as well as password generator scripts which you can install locally on your own account (note that when using the Directory Protection in your control panel the passwords you choose are encrypted automatically). One can find plenty of options for encrypting passwords suitable for use in a .htpasswd file via the links at the other end of this Google search:
Google search - htpasswd+password+generator
Things to Note
Directory protection via .htaccess/.htpasswd can be automated via the use of any one of countless scripts allowing for usernames and passwords to be created 'on the fly' without manual intervention. On the other end of the following links one can find a large number of Perl password protection scripts (most of which use .htaccess/.htpasswd) as well as PHP-based alternatives:
hotscripts.com - Perl password protection scripts
hotscripts.com - PHP user authentication scripts