Fall Sale! Code FALL2024 takes 25% OFF our Pro Plugins & Books »
Web Dev + WordPress + Security

HTAccess Password-Protection Tricks

Recently a reader asked about how to password-protect a directory for every specified IP while allowing open access to everyone else. In my article, Stupid htaccess Tricks, I show how to password-protect a directory for every IP except the one specified, but not for the reverse case. In this article, I will demonstrate this technique along with a wide variety of other useful password-protection tricks, including a few from my Stupid htaccess Tricks article. Before getting into the juicy stuff, we’ll review a few basics of HTAccess password protection.

HTAccess password protection works in cascading fashion

Before we begin, there are few things you need to know about Apache’s various password-protection directives. First, these password-protection tricks apply to the directory in which they are placed. For example, to password-protect your entire site, you would place one of these tricks in the web-accessible root HTAccess file for your site. HTAccess directives are applied down the directory structure, in cascading fashion, such that all subdirectories are also protected.

You need two files for password protection: htaccess and htpasswd

The second thing you need to know is that, in most cases, there are two parts to any password-protection implementation: the .htaccess file and the .htpasswd file. The .htaccess file will contain any of the sweet tricks provided in this article, while the .htpasswd file will contain the required username and an encrypted version of your password.

There are several ways to generate your .htpasswd file. If you are comfortable with Unix, you can simply run the “htpasswd” command. For example, entering the following command will create a working password file in the /home/path/ directory:

htpasswd -bc /home/path/.htpasswd username password

Placing the password file above the web-accessible root directory is a good security measure. If you examine the file after it has been created, the only thing it will contain is a line that looks similar to this:

username:Mx1lbGn.nkP8

Instead of running a Unix command, you may prefer to use one of the 200,000 online services providing an online password generator.

Regardless of how or where you decide to create your .htpasswd file, keep its location in mind for use in its associated HTAccess file(s). And yes, you may use one .htpasswd file for multiple HTAccess files placed in multiple directories.

Know which version of Apache you are using

In each of the examples below, the directives are enclosed within an <IfModule> container. This is to prevent your server from crashing if the required Apache modules are not available or not installed. Generally, the required modules will be present, but the <IfModule> check is a good precautionary measure.

When implementing any of the password-protection methods in this article, make sure you double-check which version of Apache you are using before you begin. The examples in this article assume you are using either Apache 1.3 or 2.0, as the <IfModule> containers are checking for the presence of the mod_auth module. Thus, if you are running Apache 2.2 (or better), you will want to replace the current <IfModule> containers with the following:

<IfModule mod_authn_file.c></IfModule>

If in doubt, ask your host, install the ShowIP Firefox extension, or dig around in your server’s control panel. And, if you just don’t know, don’t care, or can’t figure it out, just remove the opening and closing <IfModule> tags from the method you would like to use and call it good. Without them, if your server is not equipped the required module, it will simply return a 500 error message, which is easily resolved by removing the password directives.

You can customize the dialogue on the password prompt

The last thing that you should know before diving into some sweet tricks is that you may customize the message shown on the password prompt by editing the following line in each of the examples in this article:

AuthName "Username and password required"

By changing the text inside of the quotes, you may use any language you wish for the password prompt.

So now at this point in our adventure, we’re ready to dive into some juicy HTAccess password-protection tricks..

Basic password protection

To password protect your site or any directory, place this code in the associated HTAccess file:

# basic password protection
<IfModule mod_auth.c>
 AuthUserFile /home/path/.htpasswd
 AuthName "Username and password required"
 AuthType Basic
 <Limit GET POST>
  Require valid-user
 </Limit>
</IfModule>

That’s about as basic as it gets. Remember to create your password file and specify its directory in the first line. Let’s move on to something more interesting.

Open-access for one IP, password-protect everyone else

This method is great during project development, where you want open access with the ability to give others access via password:

# password protect excluding specific ip
<IfModule mod_auth.c>
 AuthName "Username and password required"
 AuthUserFile /home/path/.htpasswd
 AuthType Basic
 Require valid-user
 Order Deny,Allow
 Deny from all
 Allow from 111.222.333.444
 Satisfy Any
</IfModule>

By placing that code into the HTAccess file of the directory that you would like to protect, only the specified IP will be allowed open access; everyone else will need to enter the proper username and password.

Open access multiple IPs, password-protect everyone else

The above code may be modified easily to provide multiple IPs open access while denying everyone else:

# password protect excluding specific ips
<IfModule mod_auth.c>
 AuthName "Username and password required"
 AuthUserFile /home/path/.htpasswd
 AuthType Basic
 Require valid-user
 Order Deny,Allow
 Deny from all
 Allow from localhost
 Allow from 111.222.333.444
 Allow from 555.666.777.888
 Satisfy Any
</IfModule>

You may add as many IPs as needed. This method is great during project development, where the following conditions will apply:

  • Project development remains private for regular visitors
  • Access may be granted to clients (or anyone) by providing the password
  • Members of the development team have open access on their respective machines

In addition to providing unrestricted access to your team, you may also want to keep certain web services in mind by including the following directives (insert above the Satisfy Any directive):

Allow from validator.w3.org
Allow from jigsaw.w3.org
Allow from google.com

Open access for everyone with password-protect for specific IPs

This method is useful for a variety of situations, including cases where you would like to block a list of malicious IPs.

# password protect only for specified ips
<IfModule mod_auth.c>
 AuthName "Username and password required"
 AuthUserFile /home/path/.htpasswd
 AuthType Basic
 Require valid-user
 Order Allow,Deny
 Allow from all
 Deny from 111.222.333.444
 Deny from 555.666.777.888
 Satisfy Any
</IfModule>

You may list as many IP addresses as necessary. You may also deny from entire IP blocks by truncating the address accordingly. For example, to block everyone coming from an IP address beginning with “999.888”, we would add the following directive:

Deny from 999.888

For more information on how this works, see this section of my Stupid htaccess Tricks article.

Open access for everyone with password-protect for specific CIDR number

Similar to the previous method, here is a technique for requiring a password only from a select CIDR number. This method is useful for blocking mega-spammers such as RIPE, Optinet, and others. If, for example, you find yourself adding line after line of Apache Deny directives for addresses beginning with the same first few numbers, choose one of them and try a whois lookup. Listed within the whois results will be the CIDR value representing every IP address associated with that particular network. Thus, blocking via CIDR is an effective way to eloquently prevent all IP instances of the offender from accessing your site. Here is a generalized example for blocking by CIDR:

# password protect only for specified CIDR
<IfModule mod_auth.c>
 AuthName "Username and password required"
 AuthUserFile /home/path/.htpasswd
 AuthType Basic
 Require valid-user
 Order Allow,Deny
 Allow from all
 Deny from 10.1.0.0/16
 Deny from 80.0.0/8
 Satisfy Any
</IfModule>

Password protect a single file

I have used this technique countless times. To password-protect a single file, simply add this to your HTAccess file:

# password protect single file
<IfModule mod_auth.c>
 <Files "protected.html">
  AuthName "Username and password required"
  AuthUserFile /home/path/.htpasswd
  Require valid-user
  AuthType Basic
 </Files>
</IfModule>

Here we are protecting a file named “protected.html” from access. The file will only be available after submission of the proper username and password.

Password protect multiple files

To protect multiple files, the method is very similar, only this time we are using Apache’s FilesMatch directive. This allows us to list as many files as needed:

# password protect mulitple files
<IfModule mod_auth.c>
 <FilesMatch "(protected\.html)|(passwords\.txt)">
  AuthName "Username and password required"
  AuthUserFile /home/path/.htpasswd
  Require valid-user
  AuthType Basic
 </FilesMatch>
</IfModule>

In this example, we are password protecting two files, “protected.html” and “passwords.txt”. To add more, simply include more instances of “|(filename\.ext)” in the list of files.

Password protect multiple file types

With this method, we are using Apache’s FilesMatch directive to password-protect multiple file types. Here is an example:

# password protect mulitple file types
<IfModule mod_auth.c>
 <FilesMatch "\.(inc|txt|log|dat|zip|rar)$">
  AuthName "Username and password required"
  AuthUserFile /home/path/.htpasswd
  Require valid-user
  AuthType Basic
 </FilesMatch>
</IfModule>

Once in place, this code will require a password for access to the following file types: .inc, .txt, .log, .dat, .zip, and .rar. Customize to suit your needs.

Password protection for everything except a single file

Thanks to Brett Batie for this powerful technique for allowing access to a single file while password-protecting everything else:

# password protect everything except a single file
<IfModule mod_auth.c>
 AuthName "Username and password required"
 AuthUserFile /home/path/.htpasswd
 Require valid-user
 AuthType Basic
 <Files "open-access.html">
  Order Deny,Allow
  Deny from all
  Allow from 123.456.789
  Satisfy any
 </Files>
</IfModule>

When placed in the root directory or any parent directory, this code will password-protect everything except the file named “open-access.html”, which itself may be located in any subsequent directory or subdirectory.

To protect everything while allowing access to multiple files, we may use Apache’s FilesMatch directive instead. Here is an example allowing access to “open-access-1.html”, “open-access-2.html”, and “open-access-3.html”:

# password protect everything except specified files
<IfModule mod_auth.c>
 AuthName "Username and password required"
 AuthUserFile /home/path/.htpasswd
 Require valid-user
 AuthType Basic
 <FilesMatch "(open-access-1.html)|(open-access-2.html)|(open-access-3.html)">
  Order Deny,Allow
  Deny from all
  Allow from 123.456.789
  Satisfy any
 </FilesMatch>
</IfModule>

Note that we may consolidate the file list as follows:

<FilesMatch "open-access-[1-3]\.html">

An alternative approach to allowing open access to any file or group of files is to locate them in their own directory with the following directives added to its HTAccess file:

Allow from all
satisfy any

Wrap it up then

As you can see, Apache’ mod_auth functionality makes it possible to configure just about password-protection setup you may need. From preventing access from specific IP addresses and domains to allowing access only for specific files and directories, Apache makes it possible to protect your files easily and securely. And we haven’t even gotten into the many possibilities available for configuring specific user and group authorizations. I think I’ll save that for another article. In the meantime, for more information on Apache’s powerful mod_auth, check out the Official Documentation.

About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
Blackhole Pro: Trap bad bots in a virtual black hole.

25 responses to “HTAccess Password-Protection Tricks”

  1. @esthezia: not sure, but it sounds like a path issue. The key to setting up htaccess password protection is making sure that all of the files and paths are available, included, and properly referenced. When this happens for me, I usually triple-check that everything is exactly where it should be.

  2. Stone Deft 2010/01/05 9:31 pm

    Nice post Jeff

    How can I protect files for certain users, like user1 can only access user1.html and user2 can only access user2.html

    Thanks

  3. Jeff Starr 2010/01/06 1:06 pm

    @Stone Deft: not sure.. if it isn’t covered in the article, you may want to try google – there is lots of good info on setting up per-user passwords with htaccess.

  4. Stone Deft 2010/01/06 7:24 pm

    Thanks Jeff here’s what I did :

    AuthName "Restricted Area"
    AuthType Basic
    AuthUserFile /home/mySite/.htpasswds/.htpasswd
    AuthGroupFile /dev/null
    Require valid-user
    require user stonedeft

    Cheers

  5. Jeff Starr 2010/01/09 9:10 pm

    Thanks for the follow-up, Stone – great to hear you found a solution :)

  6. I WROTE CODE LIKE THIS:

    AuthName "UNDER DEVELOPMENT"
    AuthUserFile /home/path/.htpasswd
    AuthType Basic
    Require valid-user
    Order Deny,Allow
    Deny from all
    Allow from 192.168.10.118
    Satisfy Any

    BUT I AM STILL PROMPTED PASSWORD ON THE ALLOSED IP 192.168.10.118
    PLEASE HELP…..I’M DESPERATE

  7. Jeff Starr 2010/03/22 1:39 pm

    @Peter: Without looking into it, it is difficult to guess what the issue might be. One thing I can tell you is that setting up htaccess password protection to work properly requires very precise synchronization of all involved components: the .htaccess file, the password file, the IP, and so on. I suggest triple-checking that everything is in fact in place as declared in the various directives.

  8. Thanx for the reply Jeff, but It got me confused because when i have ‘Satisfy any’ in .htaccess file, the website does not require password but when i remove it, every ip address is required password. Anyway thank you for the help, i will try even more checking.

  9. how do I know the site really secure?
    sometimes we have done everything but the hackers still can bombard our website

  10. I’ve been struggling with how to password protect individual blogs on a WordPress 3.0 multisite network. Ideally, I need web visitors to arrive at the subdomain URL (subdomain.domain.com) and be required to enter a password to gain access to the blog, but then not be asked for a password for any of the pages within that blog until they close out their browser session. I know you can accomplish this with .htaccess on a directory – but I don’t know how it would work with WordPress 3.0 multisites since they don’t exist in a directory. Any guidance would be appreciated. Thanks!

  11. mod_auth has been deprecated in Version 2 of Apache Server in favor of mod_auth_basic. People trying to use the examples in your most excellent tutorial may find they don’t work with the <IfModule mod_auth.c> and </IfModule> lines left in. Apache 2 will ignore the whole thing when it processes .htaccess

    The mod_auth page on Apache’s site says:

    You are looking at the documentation for the 1.3 version of the Apache HTTP Server, which is no longer maintained, and has been declared “end of life”. If you are in fact still using the 1.3 version, please consider upgrading. The current version of the server is 2.2. In 2.2, the equivalent of this module is now named mod_auth_basic. However, authentication has changed enormously in the 2.x versions, and you are encouraged to look at the Authentication HowTo for an overview of those changes.

    Editor’s note: This is addressed directly in the article in the section, “Know which version of Apache you are using”.

  12. Loren Engrav 2011/08/27 8:31 pm

    I have a pword protected folder (htaccess method) and within that another folder.

    When going to index1.html in the top folder, a pword is requested.

    Index1.html then links to index2.html in the next folder and index2 comes up Ok.

    Index2 has a src link to a m4v movie also in that second folder. But the movie will not load/play without the pword being entered again.

    Why is the pword being asked for again?

    thank you.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
.htaccess made easy: Improve site performance and security.
Thoughts
Went out walking today and soaked up some sunshine. It felt good.
I have an original box/packaging for 2010 iMac if anyone wants it free let me know.
Always ask AI to cite its sources.
All free plugins updated and ready for WP 6.6 dropping next week. Pro plugin updates in the works also complete :)
99% of video thumbnail/previews are pure cringe. Goofy faces = Clickbait.
RIP ICQ
Crazy that we’re almost halfway thru 2024.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.