• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • You might have some sensitive page that you want to protect with the password. This is also known as Basic Authentication.

    The good news is it’s possible, and it is super easy.

    Why protect the webpage with a password?

    Well, there could be many reasons, including.

    • Contain sensitive data on the page
    • The page is not ready, and you don’t want to make it visible publicly but share with someone

    Whatever it is, let’s explore how you can protect.

    Requirement

    Let’s take an example; I want to protect /client on lab.geekflare.com, which means if anyone access https://lab.geekflare.com/client should prompt for a password.

    Apache

    Let’s start with Apache first.

    The first thing we need to create is a password file where all the credentials will be stored. The filename would be .htpasswd and you can place it anywhere on the server. I’ll create it under /etc/httpd/conf folder

    • You can create the file with the touch command
    touch /etc/httpd/conf/.htpasswd
    • Let’s add the user who would be allowed to access /client. We need to use htpasswd command for this.
    htpasswd /etc/httpd/conf/.htpasswd geekflare
    • The last section geekflare, is the user name. Change that with what you want and hit Enter.
    • Enter the password, and you will see a confirmation that the user is added.
    [[email protected] html]# htpasswd /etc/httpd/conf/.htpasswd geekflare
    New password: 
    Re-type new password: 
    Adding password for user geekflare
    [[email protected] html]#

    If you cat the file, you will notice the password is stored in an encrypted format. It is good!

    [[email protected] html]# cat /etc/httpd/conf/.htpasswd 
    geekflare:$apr1$EHvl0Bc5$nh4u0w3.Cj3wzPT7XUXqW1
    [[email protected] html]#

    Next, we need to instruct Apache to protect the URI we want.

    • Modify httpd.conf file or configuration file you are using for Apache instance. I am using default installation so I am using /etc/httpd/conf/httpd.conf
    • Add the following anywhere in the file
    <Directory "/var/www/html/client">
    Options Indexes FollowSymLinks
    AuthType Basic
    AuthName "Protected Content for Client"
    AuthUserFile /etc/httpd/conf/.htpasswd
    Require valid-user
    </Directory>

    If you already have /var/www/html/client Directory directive, then instead of adding a new section, you should just add the following in the existing directive.

    AuthType Basic
    AuthName "Protected Content"
    AuthUserFile /etc/httpd/conf/.htpasswd
    Require valid-user
    • Restart Apache
    service httpd restart
    • Try to access the /client page, and it should be asking for a password.

    • Enter the credential you set earlier to view the content.

    Fancy .htaccess method?

    Sure, you can implement basic auth through .htaccess file as well. You still need to generate credentials using htpasswd as explained above. Once done, you can add the following in the respective folder’s .htaccess file.

    AuthType Basic
    AuthName "Protected Content"
    AuthUserFile /etc/httpd/conf/.htpasswd
    Require valid-user

    The beauty is you don’t need to restart Apache.

    Nginx

    Let’s implement Basic Authentication in Nginx by following.

    We will take help from Apache Utils to generate the credentials. If the server doesn’t have Apache HTTP installed, then you need to install the utils separately as below. If unsure, you can execute htpasswd to see if it works. If it doesn’t, then you know you need to install it.

    CentOS/RHEL 8

    dnf install httpd-tools

    CentOS/RHEL 7

    yum install httpd-tools

    Ubuntu

    apt-get install apache2-utils
    • Let’s create the credentials similar to how we did in Apache.
    htpasswd -c /etc/nginx/.htpasswd chandan
    • Don’t forget to replace chandan with the real user name you want

    Next, we need to configure Nginx, so it restricts the particular URI with the password.

    • Let’s assume we need to protect /admin URI
    • Add the following in nginx.conf or other active Nginx configuration file
    location /admin {
    auth_basic "Admin Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
    }
    • Restart Nginx

    What if you have to restrict the entire website getting served through Nginx?

    Easy!

    Add the following in nginx.conf or active configuration file under location / { directive

    auth_basic "Admin Area";
    auth_basic_user_file /etc/nginx/.htpasswd;

    SiteGround

    The hosting platform has evolved. There are many platforms that offer handy tools, and SiteGround is one of them.

    If you are using SiteGround to host your website, you can easily protect the URL from their admin console. Let’s assume you are using WordPress and need to protect /wp-admin.

    • Login to SiteGround and go to the site where you need to enable basic authentication.
    • Click on Security >> Protected URLs >> Users
    • Enter the name and password to create the credential

    Next, we will protect wp-admin with the credential we just created.

    • Go to URLs tab
    • Enter wp-admin in the path and click protect
    • Click on Manage Access and assign the user you just created

    Try to access the page, and SiteGround will prompt you to enter the credentials.

    Easy, isn’t it?

    WordPress

    Using WordPress and would like to password protect a particular post, page, category, by role, or the entire site?

    Sure!

    Meet PPWP (Password Protect WordPress Plugin)

    Install the plugin and configure the way you want to protect WordPress resources. This works with page builders such as Elementor, Divi, Beaver.

    Alternatively, if you need a simple password-protected post or page, then you can take advantage of the inbuilt WP feature. You don’t need any plugin for this.

    • Go to the post or page you want to enable a password.
    • Under the publish section, click Edit next to visibility: Public
    • Select Password protected and enter the password.

    • Click, OK, and you are all set!

    Need more ways to secure WordPress? Check out this guide.

    cPanel

    If you are on shared hosting, then most likely you will have cPanel. The good news is cPanel offers a utility called Directory Privacy; from there, you can set a password for directory.

    • Login to cPanel
    • Search for Directory Privacy

    • Select the folder you want to protect. Like below, I’ve selected a folder called chandan, which is under public_html
    • Create the user which should be allowed and save

    • Once done, you will notice the folder has a lock

    And, that’s it. The directory is password protected now. As you can see above, I’ve tested on A2 hosting, and it works great.

    Conclusion

    I hope the above helps you to protect certain URI, folder with the password using basic authentication. If you are looking for comprehensive website security, then you should consider implementing WAF.