Password Protecting a Web Page

Apache web servers like those the CAT maintains allow users to protect certain folders in their web sites with a username and password. This is accomplished with two files:

  • .htaccess, which specifies the message users will see when they attempt to log in and the username they will use, and
  • .htpasswd, which specifies the corresponding password

The .htaccess file is capable of doing a lot more besides password protection, but that is beyond the scope of this tutorial. Apache has ample documentation on creating detailed .htaccess files.

To protect a directory in your web space, follow these instructions:

Step 1:

Connect to using ssh. Your Linux home directory on websftp mimics your home directory seen by the web server supporting your web space.

NOTE: your home directory on is different from your regular home directory on MCECS Ubuntu Linux systems.

Step 2:

Create the .htpasswd file

You can put this file wherever you like, but it’s a good idea to create it in a directory that is not accessible from a web browser (i.e. not inside your public_html folder). For this example, we will create a .htpasswd file in your home directory, which is the default directory when you connect to a machine remotely. To generate the file, type this into the command line:

htpasswd -c [password filename] [username]

where [password filename] is the name you’d like to call the password file and [username] is the username you want people to use when they access your protected page. You can name this password file anything you want, but make sure you remember what it’s called, where it is (full path to it on websftp), and the password you choose in the next step.

So, for example, if you wanted people to use the name “roboticsteam” as the username and you wanted the file to simply be called “.htpasswd”, you might type this in:

htpasswd -c .htpasswd roboticsteam

Once you type in the command, you will be asked for a password. This is the password people will use to authenticate to your web space. Enter it, and your “password” file will be created.


Step 3:

Make sure the .htpasswd file has the right permissions

We need to make sure that the password file we just created can be read by the web server, but is secret from other users on the system. To do that, run this command:

chmod 0644 [password filename]

So for our example, we would type:

chmod 0644 .htpasswd


Step 4:

Create the .htaccess file

Next, you need to navigate to the folder you want to protect. This will probably be your public_html folder, or a folder inside of it. The folder you choose, including all of its files and any folders within it, will require password authentication once this process is complete.

Once you’re in the directory you want to protect, create a file called “.htaccess” (no quotes – make sure you include the period at the beginning), with exactly this content:

AuthType basic
AuthName [put the message you want users to be prompted with here, inside double quotes]
AuthUserFile [put the FULL PATH to the password file you just made here]
require valid-user

While you can call your .htpasswd file anything you want, it is very important that you keep the name “.htaccess” for this file. The web server looks for that name and that name only.

So, going back to our robotics team example, we might use something like this for our .htaccess file:

AuthType basic
AuthName “Robotics Team Secret Files”
AuthUserFile /u/username/.htpasswd
require valid-user


Step 5:

Make sure the .htaccess file has the right permissions

To finish up, we need to make sure that the .htaccess file has the right permissions as well. To do that, run this command:

chmod 0644 .htaccess

If you followed these steps correctly, you will now see a working password authentication dialog when you try to access your protected folder.

If you’d like to know more about the many additional capabilities of htaccess and htpasswd, the Apache Software Foundation has a useful page here.