Overview
This article explains how to password protect your directory via SSH
by creating an .htaccess and .htpasswd file. The following steps are
covered in this article.
- Creating the .htpasswd file
- Creating the .htaccess file
- Code to protect a WordPress subdirectory
- Force SSL (HTTPS) on the login prompt
Using the panel to password protect your site
The easiest way to password protect your site is to use the tool in the DreamHost panel. Navigate to the Htaccess/WebDAV page. You can then set up password protection there.
No access to your .htaccess and .htpasswd files
However, please note that if you use the panel option, the .htaccess and .htpasswd files will be owned by the server. This means you will not be able to manually edit either of these files if you need to. Additionally, these instructions will overwrite any existing .htaccess file. Make sure to backup your existing .htaccess file before beginning these steps.
If you only need to password protect your site and will need access to your .htaccess and .htpasswd file at any time in the future, you should use the instructions in this article instead to manually create those files.
The easiest way to password protect your site is to use the tool in the DreamHost panel. Navigate to the Htaccess/WebDAV page. You can then set up password protection there.
No access to your .htaccess and .htpasswd files
However, please note that if you use the panel option, the .htaccess and .htpasswd files will be owned by the server. This means you will not be able to manually edit either of these files if you need to. Additionally, these instructions will overwrite any existing .htaccess file. Make sure to backup your existing .htaccess file before beginning these steps.
If you only need to password protect your site and will need access to your .htaccess and .htpasswd file at any time in the future, you should use the instructions in this article instead to manually create those files.
Creating the .htpasswd file
- Log into your server via SSH.
- Create an .htpasswd file in the directory you wish to password protect using the the htpasswd utility. For the first user, say user1, run the following:
[server]$ htpasswd -c /home/username/example.com/.htpasswd user1
- Enter the password for the user. This creates a password for a user
named 'user1'. The code in your .htpasswd file will show the encrypted
password like this:
user1:$apr1$bkS4zPQl$SyGLA9oP75L5uM5GHpe9A2
- Run it again (without the -c option) for any other users you wish to allow access to your directory.
- Set the permissions on this file to 644.
[server]$ chmod 644 .htpasswd
Creating the .htaccess file
Next, create an .htaccess file using the 'nano' editor:
Make sure to add this .htaccess file in the directory you wish to
password protect. For example, if you are password protecting your
entire site, it would go in your site's main directory:
- example.com
- example.com/members
[server]$ nano .htaccess
Code examples to add to the .htaccess file
Protect an entire directory
This example password protects an entire website directory. Make sure to change the lines in bold to your actual file path while changing to your username and domain name.#Protect Directory
AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/example.com/.htpasswd
Require valid-user
Protect a single file
This example password protects a single file:#Protect single fileAuthName "Dialog prompt" AuthType Basic AuthUserFile /home/username/example.com/.htpasswd Require valid-user
Protect multiple files
This example protects multiple files:#Protect multiple filesAuthName "Dialog prompt" AuthType Basic AuthUserFile /home/username/example.com/.htpasswd Require valid-user
Code to protect a WordPress subdirectory
Due to how WordPress routes all page requests, attempting to access a password protected subdirectory will throw a 404 Not Found error. To resolve this, you must an extra line to the .htaccess file to reference ErrorDocument.This example protects a subdirectory named 'members'.
ErrorDocument 401 default #Protect Directory AuthName "Dialog prompt" AuthType Basic AuthUserFile /home/username/example.com/members/.htpasswd Require valid-user
Force SSL (HTTPS) on the login prompt
By default, the login prompt you see is not encrypted. This means
your password will be sent as plain text over http. In order to encrypt
this login, you must add an SSL certificate to your domain. Once added, add the code below to force SSL when logging in.
This method prevents submission of an .htaccess password prompt on an unencrypted connection. If you wish to ensure that your server is only serving documents over an encrypted SSL channel, then you must use the SSLRequireSSL directive with the +StrictRequire Option enabled:
>
AuthType none
This method prevents submission of an .htaccess password prompt on an unencrypted connection. If you wish to ensure that your server is only serving documents over an encrypted SSL channel, then you must use the SSLRequireSSL directive with the +StrictRequire Option enabled:
Step 1 — Adding code to your .htaccess file
Make sure the URL you enter next to SSLRequire is your site's base URL. Do not include 'www' in front of the URL if you're forcing 'www' to be removed in your panel.
If you're securing a subdirectory such as 'example.com/blog', this URL would still be 'example.com'.
Additionally, you can use any file you like for your 403 document. Below it is shown as 'error_redirect.php'. Change this to your chosen file.
If you're securing a subdirectory such as 'example.com/blog', this URL would still be 'example.com'.
Additionally, you can use any file you like for your 403 document. Below it is shown as 'error_redirect.php'. Change this to your chosen file.
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "example.com"
ErrorDocument 403 /error_redirect.php
error_redirect.php
If you're only protecting a subdirectory
If you only want to protect a single subdirectory and not the whole site, specify the subdirectory in your .htaccess file as shown in the following code:#Protect Directory AuthName "Dialog prompt" AuthType Basic AuthUserFile /home/example_username/example.com/blog/.htpasswd Require valid-user SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.example.com" ErrorDocument 403 /blog/error_redirect.phpAuthType none
If your site is on a server running Ubuntu 14 (Trusty), make sure to change the ErrorDocument line to the full URL path. For example:
ErrorDocument 403 https://example.com/blog/error_redirect.php
沒有留言:
發佈留言