You might have some sensitive page that you want to protect with the password. This is also known as Basic Authentication.
The good news is it’s possible, and it is super easy.
Why protect the webpage with a password?
Well, there could be many reasons, including.
- Contain sensitive data on the page
- The page is not ready, and you don’t want to make it visible publicly but share with someone
Whatever it is, let’s explore how you can protect.
Requirement
Let’s take an example; I want to protect /client on lab.geekflare.com, which means if anyone access https://lab.geekflare.com/client should prompt for a password.
Apache
Let’s start with Apache first.
The first thing we need to create is a password file where all the credentials will be stored. The filename would be .htpasswd and you can place it anywhere on the server. I’ll create it under /etc/httpd/conf folder
- You can create the file with the
touchcommand
touch /etc/httpd/conf/.htpasswd- Let’s add the user who would be allowed to access /client. We need to use
htpasswdcommand for this.
htpasswd /etc/httpd/conf/.htpasswd geekflare- The last section geekflare, is the user name. Change that with what you want and hit Enter.
- Enter the password, and you will see a confirmation that the user is added.
[[email protected] html]# htpasswd /etc/httpd/conf/.htpasswd geekflare
New password:
Re-type new password:
Adding password for user geekflare
[[email protected] html]#If you cat the file, you will notice the password is stored in an encrypted format. It is good!
[[email protected] html]# cat /etc/httpd/conf/.htpasswd
geekflare:$apr1$EHvl0Bc5$nh4u0w3.Cj3wzPT7XUXqW1
[[email protected] html]#Next, we need to instruct Apache to protect the URI we want.
- Modify httpd.conf file or configuration file you are using for Apache instance. I am using default installation so I am using /etc/httpd/conf/httpd.conf
- Add the following anywhere in the file
Options Indexes FollowSymLinks
AuthType Basic
AuthName "Protected Content for Client"
AuthUserFile /etc/httpd/conf/.htpasswd
Require valid-user
If you already have /var/www/html/client Directory directive, then instead of adding a new section, you should just add the following in the existing directive.
AuthType Basic
AuthName "Protected Content"
AuthUserFile /etc/httpd/conf/.htpasswd
Require valid-user- Restart Apache
service httpd restart- Try to access the /client page, and it should be asking for a password.
- Enter the credential you set earlier to view the content.
Fancy .htaccess method?
Sure, you can implement basic auth through .htaccess file as well. You still need to generate credentials using htpasswd as explained above. Once done, you can add the following in the respective folder’s .htaccess file.
AuthType Basic
AuthName "Protected Content"
AuthUserFile /etc/httpd/conf/.htpasswd
Require valid-userThe beauty is you don’t need to restart Apache.
Nginx
Let’s implement Basic Authentication in Nginx by following.
We will take help from Apache Utils to generate the credentials. If the server doesn’t have Apache HTTP installed, then you need to install the utils separately as below. If unsure, you can execute htpasswd to see if it works. If it doesn’t, then you know you need to install it.
CentOS/RHEL 8
dnf install httpd-toolsCentOS/RHEL 7
yum install httpd-toolsUbuntu
apt-get install apache2-utils- Let’s create the credentials similar to how we did in Apache.
htpasswd -c /etc/nginx/.htpasswd chandan- Don’t forget to replace chandan with the real user name you want
Next, we need to configure Nginx, so it restricts the particular URI with the password.
- Let’s assume we need to protect
/adminURI - Add the following in
nginx.confor other active Nginx configuration file
location /admin {
auth_basic "Admin Area";
auth_basic_user_file /etc/nginx/.htpasswd;
}- Restart Nginx
What if you have to restrict the entire website getting served through Nginx?
Easy!
Add the following in nginx.conf or active configuration file under location / { directive
auth_basic "Admin Area";
auth_basic_user_file /etc/nginx/.htpasswd;SiteGround
The hosting platform has evolved. There are many platforms that offer handy tools, and SiteGround is one of them.
If you are using SiteGround to host your website, you can easily protect the URL from their admin console. Let’s assume you are using WordPress and need to protect /wp-admin.
- Login to SiteGround and go to the site where you need to enable basic authentication.
- Click on Security >> Protected URLs >> Users
- Enter the name and password to create the credential
Next, we will protect wp-admin with the credential we just created.
- Go to URLs tab
- Enter wp-admin in the path and click protect
- Click on Manage Access and assign the user you just created
Try to access the page, and SiteGround will prompt you to enter the credentials.
Easy, isn’t it?
WordPress
Using WordPress and would like to password protect a particular post, page, category, by role, or the entire site?
Sure!
Meet PPWP (Password Protect WordPress Plugin)
Install the plugin and configure the way you want to protect WordPress resources. This works with page builders such as Elementor, Divi, Beaver.
Alternatively, if you need a simple password-protected post or page, then you can take advantage of the inbuilt WP feature. You don’t need any plugin for this.
- Go to the post or page you want to enable a password.
- Under the publish section, click Edit next to visibility: Public
- Select Password protected and enter the password.
- Click, OK, and you are all set!
Need more ways to secure WordPress? Check out this guide.
cPanel
If you are on shared hosting, then most likely you will have cPanel. The good news is cPanel offers a utility called Directory Privacy; from there, you can set a password for directory.
- Login to cPanel
- Search for Directory Privacy
- Select the folder you want to protect. Like below, I’ve selected a folder called chandan, which is under public_html
- Create the user which should be allowed and save
- Once done, you will notice the folder has a lock
And, that’s it. The directory is password protected now. As you can see above, I’ve tested on A2 hosting, and it works great.
Conclusion
I hope the above helps you to protect certain URI, folder with the password using basic authentication. If you are looking for comprehensive website security, then you should consider implementing WAF.
