How To, Tutorials, Web Hosting

Password Protect Your Site: Two Different Methods with Examples


Tweet about this on TwitterShare on FacebookShare on LinkedInEmail this to someone

Password Protect Your Site

Web Efficient Password Protect Blog Title copy

 

Whether the reason is to restrict access to your team, protect sensitive content, keep your in-progress content hidden, or all of the above, a password can go a long way to ease the process (and your mind).  

The nifty thing about password protecting your website is that it gives you control of the users. You can control who accesses what pages, what their passwords are, and, if the need arises, you can delete users completely so that they no longer have access to anything related to your site.

 

.htaccess: What is it?

.htaccess is a configuration file that allows you to turn server features on and off. You can use it to establish password protection for your website. With .htaccess, you can password protect specific pages, directories, or the whole site!

.htaccess is pretty particular, though. To effectively execute its duties, the .htaccess file has to be named correctly.

.htaccess begins with a period ( . ), which indicates that it is a hidden file. Consequently, if you are working on an .htaccess file locally, you may have trouble finding it again once you save it.

If you really want to work on it locally, check out how to find hidden files on Windows and  MAC.

.htaccess on Server

However, if you don’t want the hassle of working on it locally, don’t fret! Your hosting service may give you the ability to work on it in the hosting service interface. Check your hosting service’s documentation or contact them to see if they offer .htaccess editing.

Single pages and directories can have separate .htaccess files. Make sure you are editing the .htaccess files for the places you want to be password protected. For example, you shouldn’t edit an entire directory .htaccess file if you only want to password protect one page within that directory.

To see how to find an .htaccess file in pair Networks’ Account Control Center, visit our KB article.

Setting Up Password Protection in the .htaccess File

Setting Up Password Protection in the .htaccess File

Once you have access to your .htaccess file, you need to add the code to establish the passwords.

This is simple. Simply copy this code, paste into your .htaccess file, make a few minor changes and ta-da! All good to go.

 

AuthType Basic

AuthName “My Protected Area”

AuthUserFile /path/to/.htpasswd

Require valid-user

Changes to Make

You need to change the file path next to AuthUserFile. While we have an example path in there, you need to provide the file path to your .htpasswd file.

If the file path is incorrect, the .htaccess file will not be able to compare the inputted username and passwords to the accepted ones. This will result in every login attempt failing, regardless of whether their credentials were correct.

You can also change the AuthName. This will change the name of the box that asks for login credentials. We put in “My Protected Area,” but feel free to change it to something that better fits you and your site.

Moving .htaccess to Your Server

Once you’ve added the code to the .htaccess file, the next step is to put the .htaccess file on your server. If you’re editing the .htaccess file in your server’s interface, you probably only have to save the file for the .htaccess to be updated.

If you are working on the .htaccess file locally, though, you’ll have to locate the file and upload it to the server.

FTP/SFTP (File Transfer Protocol) is a common way of moving files. We recommend using SFTP, the secure version of FTP.  

Binary vs. ASCII

However, if you use FTP/SFTP, make sure you’re transferring the files in ASCII. Some FTP/SFTP may default to transferring files in binary. Binary and ASCII upload files differently. Binary is good for images and music files, while ASCII is better suited for text, code, and – you guessed it – .htaccess files.

If you accidentally upload the file in using the wrong one, the file could become corrupted and end up giving you web page errors.

Nobody wants that. So be proactive and check around your FTP/SFTP client settings for something like “Transfer Modes” or “Transfer Types” and make sure ASCII is selected.

 

.htpasswd: What is it?

The .htpasswd file stores all the usernames and their respective passwords. The .htaccess file will pull information from the .htpasswd file so it can tell what username and password combinations are legitimate.

 

Setting Up the .htpasswd File

.htpasswd works by storing usernames and passwords in a username:password format. Each username and password combination takes up one line.

However, the passwords need to be encrypted for this to work (also, it is much safer to encrypt them than it is to let them lay around in the open).

Your .htpssword file will end up looking something like this:

 

Username1:$apr1$INIKR6xG$LAGCN5Ig9Qb0PVGOsQIdp0

Username2:$apr1$m0UYY4EB$J0Sz93pm2Ydpz1pav1m87.

Username3:$apr1$NebQRv6h$tWixqrqAS8cSc0gowk8KZ.

 

Three Different Ways to Set Up Encryption

 

Encryption Generators

There are some generators out there on the internet that will encrypt the password for you. Make sure the generator uses an algorithm that works with your operating system. If you don’t want to bother with that, look for a generator using the MD5 algorithm, which works with any platform.

 

PHP Script Encryption

This method is for servers running on Linux. It requires you to create a PHP script ( Don’t worry – you just have to copy and paste the code below and make one change), upload it to your server, and run it to encrypt each password.

To use this technique, copy the code below and paste it into your preferred text editor.

 

<?php
$clearTextPassword = ‘your password‘;

$password = crypt($clearTextPassword, base64_encode($clearTextPassword));

echo $password;
?>

 

Replace “your password” with the password you want to be encrypted. Save the file and name it htpassword.php. Note that there is no period ( . ) at the beginning of this file name. This is because it’s not hidden and is a PHP script.

Next, upload the file to your server.

To run the script and receive the encrypted password, open your browser and go to yourdomain.com/htpassword.php. If you receive an error or don’t see anything, double check your permissions for the htpassword.php file.

Copy the text that shows up in the browser page. This is your encrypted password.

Take this text and paste it into your .htpasswd file next to its username. Repeat these steps if you wish to encrypt more passwords.

 

Command Line Encryption

This is for servers running Windows. Apache has documented how to do this in an article on .htpasswd

Putting the .htpasswd Together

After you have encrypted the passwords, use a text editor (whether that be an on-server or a local editor) to input the encrypted password with the username. It will resemble something like this:

 

Paul:$apr1$INIKR6xG$LAGCN5Ig9Qb0PVGOsQIdp0

kal302:$apr1$m0UYY4EB$J0Sz93pm2Ydpz1pav1m87.

lanieB:$apr1$NebQRv6h$tWixqrqAS8cSc0gowk8KZ.

 

Once you have all your usernames and passwords in the file, save it and upload it to your server. If you are using FTP/SFTP, remember to check that your files will be uploaded in ASCII.

In your browser, go to the page or directory’s URL you are trying to protect. If everything is set up correctly, a box will pop up and ask you to login.

 

Setting Up Password Protection on WordPress

Setting up password protection on WordPress is super easy since it’s built right into the WordPress interface.

All that needs to be done is change privacy settings on a page or blog post. You can do this when you are editing a page, whether it is new or old. Here’s how to find the privacy settings:

Open the editor for your desired page. In the Post Settings sidebar, click Status to extend the dropdown. Here you will see the current privacy setting.  

A page or blog post’s default privacy setting is often Public, so you will most likely see Public in the Status window (though there is a chance you may see Private instead). Click on Public (or Private) and select a new privacy setting. In our case, we want Password Protected.

Input a password for the page or blog post and then click out of the box.

Your page or blog post now has a password. Anyone who tries to access the page will be required to input the password.

 

Now That You Have Password Protection

Once you get your password protection up and running, you can rest easy knowing your site will only let in certain visitors.

However, what happens when you no longer want password protection? Simple. Just delete the code you copied into the .htaccess file. A password will no longer be required for access and your site will be open to visitors again.

We’re Always Here to Help

While this may seem confusing, pair Networks is here to help. If you host with pair Networks, you can contact support any time. We’re here 24/7, 365 days a year to bring you the help you need. Contact support today if you need help with your pair Networks hosting site.