How do I password protect my site?

Using the panel to password protect your site

The easiest way to password protect your site is using the tool in the DreamHost panel. Navigate to the Htaccess/WebDAV page. You can then set up password protection there.

If you'd rather create it manually using SSH, view the following sections.

Creating an .htaccess file on your DreamHost web server

View the following article for instructions on how to create an .htaccess file on your web server:

You should use the SSH option to create the file.

Password protecting your site

Creating the .htpasswd file

You can use an .htaccess file to password protect a file or folder using basic authentication.

  1. Create an .htpasswd file in the directory you wish to password protect using the the htpasswd utility. For the first user, say user1, run the following:
    [server]$ htpasswd -c /home/username/ user1
  2. Enter the password for the user. This creates a password for a user named 'user1'. The code in your .htpasswd file will show the encrypted password like this:
  3. Run it again (without the -c option) for any other users you wish to allow access to your directory.
  4. Set the permissions on this file to 644.
    [server]$ chmod 644 .htpasswd

View the following page for further information:

Creating the .htaccess file

Next, create an .htaccess file using the 'nano' editor:

[server]$ nano .htaccess

Code examples to add to the .htaccess file

This example password protects an entire website directory. Make sure to change the lines in bold to your actual file path while changing to your username and domain name.

#Protect Directory
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/
Require valid-user

This example password protects a single file:

#Protect single file
<Files admin.php>
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/
Require valid-user

This example protects multiple files:

#Protect multiple files
<FilesMatch "^(admin|staff).php$">
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/
Require valid-user

Force SSL (HTTPS) on the login prompt

By default, the login prompt you see is not encrypted. This means your password will be sent as plain text over http. In order to encrypt this login, you must add an SSL certificate to your domain. Once added, add the code below to force SSL when logging in.

This method prevents submission of an .htaccess password prompt on an unencrypted connection. If you wish to ensure that your server is only serving documents over an encrypted SSL channel, then you must use the SSLRequireSSL directive with the +StrictRequire Option enabled:

Step 1 — Adding code to your .htaccess file

Make sure the URL you enter next to SSLRequire is your site's base URL. Do not include 'www' in front of the URL if you're forcing 'www' to be removed in your panel.

If you're securing a subdirectory such as '', this URL would still be ''.

Additionally, you can use any file you like for your 403 document. Below it is shown as 'error_redirect.php'. Change this to your chosen file.

SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq ""
ErrorDocument 403 /error_redirect.php <Files /error_redirect.php> AuthType none </Files>

If you're only protecting a subdirectory

If you only want to protect a single subdirectory and not the whole site, specify the subdirectory in your .htaccess file as shown in the following code:

#Protect Directory
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/example_username/
Require valid-user

SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq ""

ErrorDocument 403 /blog/error_redirect.php

<Files /error_redirect.php>
  AuthType none

If your site is on a server running Ubuntu 14 (Trusty), make sure to change the ErrorDocument line to the full URL path. For example:

ErrorDocument 403

Step 2 — Add code to your error_redirect.php file

Now that your .htaccess will redirect to your error page, you must put some code into this error page to correctly redirect back to your secure login. Add the following PHP code.

    header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);

If you now try to log in, you''ll see both the URL and login prompt change to

Issue with renewing a 'Let's Encrypt' certificate

The code may cause a 'Let's Encrypt' certificate to not renew properly. If you have added a 'Let's Encrypt' certificate to your domain, make sure to disable the code below in your .htaccess file when your certificate is about to renew. Once renewed, you can re-enable the code below.

See also

Did this article answer your questions?

Article last updated PST.