Overview
This article explains how to password-protect your website using an .htaccess file.
Using the panel to password-protect your site
An alternative option is to use the panel tool on the Htaccess/WebDAV page. However, please note that if you need access to manually edit your .htaccess and .htpasswd files in the future, you must use the instructions in this article, as the panel option removes access to these files.
Prerequisites
This article assumes you have Created a Shell user and are able to log into your server via SSH.
How to password protect your site
The following steps create an .htpasswd and .htaccess file to protect either an entire website, a specific subdirectory, or specific files.
Create the .htpasswd file
- Log into your server via SSH.
- Navigate into the directory you wish to password protect.
This would either be example.com for your entire website or example.com/subdir for a subdirectory.
- Run pwd to confirm the full file path to this directory. Make a note of this.
[server]$ pwd /home/username/example.com
-
Create an .htpasswd file by running the following command.
Change the directory path and user1 to the name of the login user you wish to create.
[server]$ htpasswd -c /home/username/example.com/.htpasswd user1
- When prompted, enter a password for the new user. The code in your .htpasswd file then displays the encrypted password like this:
user1:$apr1$bkS4zPQl$SyGLA9oP75L5uM5GHpe9A2
- When prompted, enter a password for the new user. The code in your .htpasswd file then displays the encrypted password like this:
-
Run the command again (without the -c option) for any other users you wish to allow access to your directory.
-
Set the permissions to 644.
[server]$ chmod 644 .htpasswd
Create the .htaccess file
In the same directory, create an .htaccess file and add one of the following code examples depending on your site's needs:
Protect an entire website (or subdirectory)
-
This example password protects an entire website or subdirectory, depending on the file path.
#Protect Directory AuthName "Dialog prompt" AuthType Basic AuthUserFile /home/username/example.com/.htpasswd Require valid-user
Protect a single file
-
This example password protects a single file named admin.php:
#Protect single file <Files admin.php> AuthName "Dialog prompt" AuthType Basic AuthUserFile /home/username/example.com/.htpasswd Require valid-user </Files>
Protect multiple files
-
This example protects multiple files such as admin.php and staff.php.
#Protect multiple files <FilesMatch "^(admin|staff).php$"> AuthName "Dialog prompt" AuthType Basic AuthUserFile /home/username/example.com/.htpasswd Require valid-user </FilesMatch>
Protect a WordPress subdirectory
-
Due to how WordPress routes all page requests, attempting to access a password protected subdirectory will throw a 404 Not Found error. To resolve this, you must an extra line to the .htaccess file to reference ErrorDocument.
This example protects a subdirectory named members.
ErrorDocument 401 default #Protect Directory AuthName "Dialog prompt" AuthType Basic AuthUserFile /home/username/example.com/members/.htpasswd Require valid-user
Test your site
Visit your website and test if your new password prompt is displaying as configured.
Forcing SSL (HTTPS) on the login prompt
If your site is not using an SSL certificate, the login prompt you see is not encrypted. This means your password will be sent as plain text over http. In order to encrypt this login, you must add an SSL certificate to your domain.
If your site is using an SSL certificate, but it is not redirecting automatically to HTTPS, please contact support for assistance.