Password protecting your site with an .htaccess file

Overview

This article explains how to password protect your directory via SSH by creating an .htaccess and .htpasswd file. The following steps are covered in this article.

Creating the files

WordPress and HTTPS examples

Using the panel to password protect your site

The easiest way to password protect your site is to use the tool in the DreamHost panel. Navigate to the Htaccess/WebDAV page. You can then set up password protection there.

No access to your .htaccess and .htpasswd files

However, please note that if you use the panel option, the .htaccess and .htpasswd files will be owned by the server. This means you will not be able to manually edit either of these files if you need to. Additionally, these instructions will overwrite any existing .htaccess file. Make sure to backup your existing .htaccess file before beginning these steps.

If you only need to password protect your site and will need access to your .htaccess and .htpasswd file at any time in the future, you should use the instructions in this article instead to manually create those files. 

In the following examples, change username to your Shell user and example.com to your website.

Step 1 — Create the .htpasswd file

  1. Log into your server via SSH.
  2. Navigate into the directory you wish to password protect.

    If you're password protecting the entire website, it would most likely be example.com.

    [server]$ cd ~/example.com

    If you're password protecting a subdirectory like example.com/members, it would go into that subdirectory.

    [server]$ cd ~/example.com/members
  3. Run pwd to confirm the full file path to this directory. You'll need this full path in the next step.
    [server]$ pwd
    /home/username/example.com
  4. Create an .htpasswd file by running the following command in the directory you wish to password protect. This uses the htpasswd utility and the full path to the directory. For example, if the username you're creating to log in is user1, run the following:
    [server]$ htpasswd -c /home/username/example.com/.htpasswd user1
  5. Enter a password for the new user named user1. The code in your .htpasswd file then displays the encrypted password like this:
    user1:$apr1$bkS4zPQl$SyGLA9oP75L5uM5GHpe9A2

    Run it again (without the -c option) for any other users you wish to allow access to your directory.

  6. Confirm the permissions are set to 644 by running the following command.
    [server]$ chmod 644 .htpasswd

View the following page for further information:

Step 2 — Create the .htaccess file

Next, create an .htaccess file using the nano editor:

Make sure to add this .htaccess file in the same directory you added the .htpasswd file.

[server]$ nano .htaccess

Code examples to add to the .htaccess file

Protect an entire website

This example password protects an entire website by placing the files in the site's main web directory.

Make sure to change the highlighted lines to your username, domain name, and specific file names.

#Protect Directory
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/example.com/.htpasswd
Require valid-user

Protect a single file

This example password protects a single file named admin.php:

#Protect single file
<Files admin.php>
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/example.com/.htpasswd
Require valid-user
</Files>

Protect multiple files

This example protects multiple files such as admin.php and staff.php.

#Protect multiple files
<FilesMatch "^(admin|staff).php$">
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/example.com/.htpasswd
Require valid-user
</FilesMatch>

Code to protect a WordPress subdirectory

Due to how WordPress routes all page requests, attempting to access a password protected subdirectory will throw a 404 Not Found error. To resolve this, you must an extra line to the .htaccess file to reference ErrorDocument.

This example protects a subdirectory named members.

ErrorDocument 401 default
    
#Protect Directory
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/example.com/members/.htpasswd
Require valid-user

Force SSL (HTTPS) on the login prompt

The following steps are not necessary if your site automatically redirects to HTTPS. This is the case for any SSL certificates added after Sept 2020.

If you have an older SSL that is currently not redirecting automatically (without adding any custom code to your .htaccess file), please contact support for assistance.

If your site is not using an SSL certificate, the login prompt you see is not encrypted. This means your password will be sent as plain text over http. In order to encrypt this login, you must add an SSL certificate to your domain. Once added, add the code below to force SSL when logging in.

This method prevents submission of an .htaccess password prompt on an unencrypted connection. If you wish to ensure that your server is only serving documents over an encrypted SSL channel, then you must use the SSLRequireSSL directive with the +StrictRequire Option enabled:

Step 1 — Adding code to your .htaccess file

The following code examples force your login prompt to load using HTTPS. However, make sure you have correctly set the base URL and www subdomain as mentioned below.

Set the base URL

Make sure the URL you enter next to SSLRequire is your site's base URL. For example:

  • example.com: use this for a primary domain or a subdirectory like example.com/blog
  • blog.example.com: use this for a subdomain

The 'www' subdomain

Do NOT include www in front of the URL if you're forcing the 'www' subdomain to be removed in your panel.

  • example.com

However, if you're forcing the 'www' subdomain to be added in your panel, make sure to add www to the domain name.

  • www.example.com

Additionally, you can use any file name you like for your 403 document. Below it is named error_redirect.php.

If you're password protecting the entire website

The following code example assumes you have created the .htaccess, .htpasswd, and error_redirect.php files in the site's primary directory you are password protecting.

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "example.com"
ErrorDocument 403 /error_redirect.php <Files /error_redirect.php> AuthType none </Files> #Protect Directory AuthName "Dialog prompt" AuthType Basic AuthUserFile /home/username/example.com/.htpasswd Require valid-user

If you're only password protecting a subdirectory

If you only want to protect a single subdirectory and not the whole site, specify the subdirectory in your .htaccess file as shown in the following code:

The following code example assumes you have created the .htaccess, .htpasswd, and error_redirect.php files in the subdirectory you are password protecting.

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "example.com"

ErrorDocument 403 /error_redirect.php

<Files /error_redirect.php>
  AuthType none
</Files>

#Protect Directory
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/example.com/blog/.htpasswd
Require valid-user

Step 2 — Add code to your error_redirect.php file

Now that your .htaccess will redirect to your error page, you must put some code into this error page to correctly redirect back to your secure login. Add the following PHP code.

<?php
  header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
?>

If you now try to log in, you''ll see both the URL and login prompt change to https://example.com.

Issue with renewing a 'Let's Encrypt' certificate

The code may cause a 'Let's Encrypt' certificate to not renew properly. If you have added a 'Let's Encrypt' certificate to your domain, make sure to disable the code in your .htaccess file when your certificate is about to renew. Once renewed, you can re-enable the code.

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?