Password protecting your site with an .htaccess file

 

Overview

This article explains how to password-protect your website using an .htaccess file.

Using the panel to password-protect your site

An alternative option is to use the panel tool on the Htaccess/WebDAV page. However, please note that if you need access to manually edit your .htaccess and .htpasswd files in the future, you must use the instructions in this article, as the panel option removes access to these files.

Prerequisites

This article assumes you have Created a Shell user and are able to log into your server via SSH.

How to password protect your site

The following steps create an .htpasswd and .htaccess file to protect either an entire website, a specific subdirectory, or specific files.

 

 Create the .htpasswd file

  1. Log into your server via SSH.
  2. Navigate into the directory you wish to password protect.

    This would either be example.com for your entire website or example.com/subdir for a subdirectory.

  3. Run pwd to confirm the full file path to this directory. Make a note of this.
    [server]$ pwd
    /home/username/example.com
  4. Create an .htpasswd file by running the following command.

    Change the directory path and user1 to the name of the login user you wish to create.

    [server]$ htpasswd -c /home/username/example.com/.htpasswd user1
    When prompted, enter a password for the new user. The code in your .htpasswd file then displays the encrypted password like this:
    user1:$apr1$bkS4zPQl$SyGLA9oP75L5uM5GHpe9A2
  5. Run the command again (without the -c option) for any other users you wish to allow access to your directory.

  6. Set the permissions to 644.
    [server]$ chmod 644 .htpasswd

Create the .htaccess file

In the same directory, create an .htaccess file and add one of the following code examples depending on your site's needs:

Protect an entire website (or subdirectory)

This example password protects an entire website or subdirectory, depending on the file path.

#Protect Directory
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/example.com/.htpasswd
Require valid-user

Protect a single file

This example password protects a single file named admin.php:

#Protect single file
<Files admin.php>
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/example.com/.htpasswd
Require valid-user
</Files>

Protect multiple files

This example protects multiple files such as admin.php and staff.php.

#Protect multiple files
<FilesMatch "^(admin|staff).php$">
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/example.com/.htpasswd
Require valid-user
</FilesMatch>

Protect a WordPress subdirectory

Due to how WordPress routes all page requests, attempting to access a password protected subdirectory will throw a 404 Not Found error. To resolve this, you must an extra line to the .htaccess file to reference ErrorDocument.

This example protects a subdirectory named members.

ErrorDocument 401 default
    
#Protect Directory
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/example.com/members/.htpasswd
Require valid-user

Test your site

Visit your website and test if your new password prompt is displaying as configured.

Forcing SSL (HTTPS) on the login prompt

If your site is not using an SSL certificate, the login prompt you see is not encrypted. This means your password will be sent as plain text over http. In order to encrypt this login, you must add an SSL certificate to your domain.

If your site is using an SSL certificate, but it is not redirecting automatically to HTTPS, please contact support for assistance.

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?