Password-protecting directories

Using the Control Panel
Warning: This will overwrite any .htaccess file you may already have.  Go to the Goodies > Htaccess/WebDAV area of the control panel. If you have more than one domain, select the domain which contains the directory you'd like to protect. Click on Configure a new directory (or Set up a new directory if you already have one). On the next page:  Enter the directory you'd like to protect (leave it blank to protect the entire domain.) Note that the directory must already exist. Enter the name you'd like to call this area (this will appear in the pop-up window asking for your password) Enter a list of all the valid usernames and passwords, each pair on the same line separated by a space, one pair per line, for this password-protected directory. Optionally, set up WebDAV and/or Link Protection.</li> Click the Configure this Directory button.</li> </ul> </li> Within 10 minutes that directory on your site will be protected!</li> </ol>

The following image shows an example of setting up a password-protected directory:

In this case, users who go to the URL http://www.example.com/private/ would receive the following login prompt:

Only people with one of the username/password combinations you specified (such as username: ringo, password: yellowsubmarine) will be able to view the directory contents.

Using .htaccess
Sometimes you might want more control over how your directories are password-protected, such as being able to assign groups access instead of individual users. Or you might already have an .htaccess file in a directory and you don't want the automatically-generated one to overwrite it. Or maybe you just abhor all those weenie control panel type of apps and like to do everything yourself. If any of the above apply to you, then good news! You can do the above procedure manually using the magic of .htaccess!

Creating a .htaccess file
Begin by creating an .htaccess file with the following (or add these lines to an existing one):

AuthType Basic AuthUserFile /home/USERNAME/.htpasswd AuthName "My Private Area" require valid-user

Replace USERNAME with your DreamHost user name, and My Private Area with a description of the directory you're protecting. Finally, upload the file to the directory you wish to protect.

Next, you'll need to add users to the password file (.htpasswd). This is done in one of two ways:

Adding users from the shell
If you have shell access, enter the following command: /usr/bin/htpasswd -c ~/.htpasswd USERNAME Replace USERNAME with the username of the user you wish to add (such as good ol' ringo). You'll be prompted to enter a password for the user.

Additional users can be added using almost the same command: /usr/bin/htpasswd ~/.htpasswd USERNAME

At the end of the day, you should end up with a file called .htpasswd in your home directory, containing something that looks sort of like this:

john:nPqDiHGRF0sSw paul:zGKlu.8k8n08U george:r0sxbOD5zCWPU ringo:xVcAVoGlAvjvM

The lines each read as:

username:encryptedpassword

Creating a .htpasswd file manually
If your user is an ftp-only account, fear not! You can still participate in the wonders of .htaccess password protection. All you have to do is create a file that looks like the one above manually.

Once you've created the file, just upload it to your home directory (/home/USERNAME/). If possible, you should chmod your .htpasswd file to 640 or 644.

A Word About Passwords
Note that our systems use the traditional Unix crypt(3) function with a random 32-bit salt (only 12 bits used) and the first 8 characters of the password. This means, in essence, that only the first 8 characters of the password are significant.

Password Protecting Directories within WordPress
If you are going to try to password protect a directory under a WordPress installation you'll need to take an additional step in order to make it work. This is because WordPress creates its own .htaccess file in the domains root hosting directory which you will need to make a change to in order to make our password protection feature work. If you don't make this modification WordPress will give a 404 error when you try to access your password protected directories!

A typical WordPress unmodified .htaccess file looks like this;

<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule. /index.php [L] </IfModule>
 * 1) BEGIN WordPress
 * 1) END WordPress

However, in order to password protect any directory you'd need to add these additional directives above the WordPress directives like so;

<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} ^/(failed_auth\.html).*$ [NC] RewriteRule. - [L] </IfModule>

The modified file should look like this afterwords;

<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_URI} ^/(failed_auth\.html).*$ [NC] RewriteRule. - [L] </IfModule> <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule. /index.php [L] </IfModule>
 * 1) BEGIN WordPress
 * 1) END WordPress

This will stop WordPress from giving a 404 error code when you try to access your password protected directory (or our virtual "stats" directory as well). Instead it will give a 403 (authorization required) and prompt you for a valid username/password instead to access it. Once you give a valid username/password it should grant you access to the directory. Once you've made this change you can password protect whatever directories you want to under this WordPress installation.