What’s the easiest way to make an .htaccess file in Unix/Linux so that a directory is password protected? Suppose that your home directory is /home/dmistry and all your webstuff is in /home/dmistry/www/ . Follow these steps:
- Make an .htpasswd file. The htpasswd command in Unix does this. You should put the password file outside of your web directory. So a command like “htpasswd -bc /home/dmistry/.htpasswd review donotenter” will create a new file using a username of review and a password of donotenter into the file /home/dmistry/.htpasswd . If you were to run the command “cat /home/dmistry/.htpasswd” you might see a line like “review:M1OdtjdGiDn1Y”.
- Make an .htaccess file. In this case, the file would be located at /home/dmistry/www/.htaccess and it would look something like:
AuthUserFile /home/dmistry/.htpasswd AuthName EnterPassword AuthType Basic <Limit GET POST> require valid-user </Limit>
About Dinesh Mistry
Good advice; far too few small-shop webpages have proper access control in place, this is definitely a step (out of many) in the right direction.
I cannot emphasize enough the significance of ensuring that the password file is stored outside of the web directory. Even if it only contains hashes, a well-equipped novice hacker could easily use a brute force tool such as John to enumerate the keys to your web server “castle”. Additionally, ensure that access to these files is strictly locked down (man chmod may very well be your best friend), especially if the server resides within a shared environment.