How do I password protect an Apache website?

I added .htaccess

AuthType Basic
AuthName "restricted area"
AuthUserFile /path/to/the/directory/you/are/protecting/.htpasswd
require valid-user

and .htpasswd

username:password

However, it is not working. It doesn't prompt me for login.


Your .htaccess file looks fine. The only reason it is not working as you have it is that Apache is configured to ignore it.

In your apache config, ideally in the sites-* config file, add:

<Directory /path/to/the/directory/you/are/protecting/>
      AllowOverride AuthConfig
</Directory>

The AllowOverride directive is what allows the htaccess file to function. By default, most Apache setups have it turned off (set to None actually), including Ubuntu/Debian.

In your .htpasswd file, the password must be encrypted. You can do this most easily using the htpasswd tool that mezgani suggested. It will look like this if you read the file:

bob:abJnggxhB/yWI

With the AllowOverride directive set to at least AuthConfig, your .htaccess file in place, and your .htpasswd containing a user with an encrypted password, you should be good to go.


First, add this following to your apache config:


<Directory /path/to/the/directory/you/are/protecting/>
        AllowOverride AuthConfig
        Options Indexes MultiViews FollowSymLinks
        deny from all
        Order deny,allow
</Directory>

After, you may create the .htpasswd file that will contain your login and password with htpasswd command and not manually


htpasswd -c /path/to/the/directory/you/are/protecting/.htpasswd username
I think that moving the .htpasswd file somewhere different from the path of the directory that you are protecting is more secure.

Also, For security reasons, please read this article on securityfocus