Topics Map > University of Chicago > IT Services > Services & Support > Web Development/Hosting/Resources

Personal Websites - Password Protect Your Website

This article explains how to password protect part or all of your personal website.

You may want to password protect part of your website to restrict access to specific individuals rather than opening it to the world at large. The following instructions tell you how to do that, but be aware that is not a fully secured web environment, so you should not set passwords to your home site that are used for other purposes elsewhere (e.g. don't use your CNet password).

  1. To set up password access, you will need to create two files, .htaccess and .htpasswd. .htaccess is the file placed in the directory you want to protect. .htaccess will also protect all subdirectories of the directory in which it resides. .htpasswd is simply the list of users and passwords to which .htaccess refers when granting or denying access.
  2. Create a new text file named .htaccess for your specified directory.
  3. In your text editor, paste the following text:
    AuthUserFile /www/home-users/username/your directory(ies)/.htpasswd
    AuthName restricted
    AuthType Basic
    <Limit GET>
    require valid-user

    Where username is your CNetID, your directory(ies) is/are the additional directory(ies) under public_html you have specified (be sure a slash separates them!), restricted is the name of the realm displayed in the web browser's password dialog box, and valid-user refers to the type of user whose password grants them access. If you keep valid-user, any user specified in your .htpasswd file (to be created momentarily) may have access to your protected directory with their correctly entered password. If, however, you want only one specific user to have access, type user username where username is among the users to be specified in your .htpasswd file in place of valid-user.
  4. It's time to create the .htpasswd file.
  5. Using a text editor enter a username and password in the format username:password. Each username:password should be on a separate line. Furthermore, you must enter the password not in plain text, but in a converted, mildly encrypted format: check here for help with the encryption. For example, the entry userid:mypassword is encrypted and entered into .htpasswd as userid:easvVGdvCAXcg. Never enter a CNetID Password into your .htpasswd file. Save the .htpasswd file when you are finished.
  6. Now, use an SFTP client to upload both your .htaccess and .htpasswd files to the folder(s) on that you want protected. Congratulations, your site or portion thereof is now password protected.

    Note: You may have noticed that a single password may be represented by a variety of encrypted strings. This is normal. Additionally, WebAdmin cautions that .htpasswd security is not very secure. It's best to think of it as the equivalent of a hook-and-eye lock on a bathroom door--it will keep out the polite, but not the determined intruders. This is why we strongly encourage you not to use and store CNet passwords in your .htpasswd file. They can be compromised and exploited well beyond gaining access to your site., web, pages, sftp, .htaccess, .htpasswd   Doc ID:15892
Owner:Paul B.Group:University of Chicago
Created:2010-11-30 19:00 CDTUpdated:2017-04-14 12:28 CDT
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  2   1