September 18, 2004

Password Protecting Your Blog with .htaccess

One way to set up a private, password-protected weblog is by adding a .htaccess file to the directory in which the weblog resides. htaccess files can give you extra control over your server, allowing you to password protect directories, enable server side includes, generate custom error messages, and block users by IP address among other things. I've already described the fundamentals of .htaccess in another tutorial, see What is .htaccess? If you are setting up .htaccess for the first time, be sure to read this tutorial thoroughly.

1. Create .htpasswd

The first thing you need to do, before creating your .htaccess file, is to create a file called .htpasswd, which will hold the user names and passwords of those you to whom you are giving access to your private weblog. You will need to encrypt the passwords. It has been recommended by a commenter here that you not use a web-based password generator site for security reasons. The same commenter notes that if you have root access to your server, SSH to it, change to the directory you wish to create the .htpasswd in and type "htpasswd -bc .htpasswd username password" (without the quotes; replacing username with your username and password with your desired password). The "c" mean "create a new file" and the "b" means "use the password given in the command line (rather than prompting for it)". If you do not have access to your server, it is suggested that you have your server admin do this for you.

For example, the name "bartlett" and password "westwing" would look like this, encrypted and ready to be placed on your .htpasswd file: bartlett:09ArhAKMeRSE6

Create the strings of user names and passwords for those to whom you will give access to your private blog.

Copy and paste these into a text editor, one line for each name:password. Save the file to your desktop; note that you probably will not be able to save it with the (.) in front of htaccess. That's okay, make the change when you upload the file to your server with FTP.

2. Upload .htpasswd to your server

For security, you should upload this file into a secure place on your server, above your root directory, not in your public_html directory, not in a directory that is accessible by the web. Upload the file as ASCII text. Make a note of the path to the file.

3. Create your .htaccess file

I have found two similar sets of .htaccesss code for password protection and they both work on my server. I'll list them here, but check with your webhost first. If they allow .htaccess, they may very well have a tutorial about how to use it on their servers.

One code method:

AuthUserFile /usr/local/you/safedir/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require valid-user

The first line, containing the directive AuthUserFile, is the full server path to your .htpasswd file. Use the path that will work with your server set-up to get to where you placed your password file. (Note path, not URL.) Note that .htaccess will not work if there are extra spaces after AuthUserFile. There is only one space after AuthUserFile before the path.

The second directive, AuthGroupFile, points to a list of user groups for user authentication. Since we're not doing that, it is set to /dev/null.

According to the Apache organization documentation, The third line, AuthName,

sets the name of the authorization realm for a directory. This realm is given to the client so that the user knows which username and password to send. AuthName takes a single argument; if the realm name contains spaces, it must be enclosed in quotation marks.

Basically, you can put pretty much any word next to "AuthName", such as EnterPassword.

AuthType sets the type of user authentication for a directory. In our case, that is Basic

require valid-user allows all users who you have specified in your .htpasswd file to have access to the contents of the directory.

Second code method:

AuthUserFile /home/local/you/safedir/.htpasswd
AuthName EnterPassword
AuthType Basic
<Limit GET>
require valid-user

This second set up was what was recommended at my webhost. I don't know what the <Limit GET> and </Limit> do (perhaps someone can enlighten me?) but this worked as well as the first method. Like I mentioned before, check with your webhost first to see if they have a preferred method.

(Note that there are different variations on how you can set this up. If you want different private directories, all with different users having access, you can do that too. A web search for .htaccess will yield many tutorials.)

Use a text editor to create this file, and save it as htaccess. You will change it to .htaccess when you upload it to your server.

4. Upload your .htaccess file

The directory into which you upload this .htaccess file will become password protected. So, if you upload this .htaccess into the top level of your public_html directory, your entire website will be password protected. If you want to password protect only one weblog, and not your whole site, upload the file into the directory in which you would find the index.html or index.php of that weblog. For example, if I wanted to password protect Learning Movable Type, I would load the .htaccess file into: home/public_html/mt/. If you already have an existing .htaccess file in this directory, you can add the lines of text described here to your existing file. They just need to start on a new line.

Make sure that you include the (.) before htaccess when you are loading the file, or change the name of the file to include the dot after it has already loaded. On some FTP programs that may require setting the -a parameter to display the hidden files. You may also need to set the file's permission to 644.

Note that I've already explained that .htaccess is a powerful file. Make sure you understand it before you attempt to use it. I take no responsibility for what may result on your server by following the aforementioned instructions. My advice? Make friends with someone in tech support at your webhost.

MT Protect plugin - allows you to password protect an individual entry, or to restrict access to an entry to specific individuals based on their Typekey identity. From Movalog.
Htaccess and Dynamic Publishing
What is .htaccess?
Comprehensive Guide to .htaccess
Apache Tutorial: .htaccess files
htpassword: How does it work?
Password Protect Your Blog - Adam Kalsey's php script for limiting the viewing of an MT blog to MT blog authors.

Has this tutorial been helpful? Please consider linking to Learning Movable Type at . Thanks!


If you would like to send a trackback
please use the following URL:

» Good Password Tips and Password Management from Computer Internet Security ★ eLamb
These days a single computer users can have dozens of passwords. If there are computers at your job you may have 3 or 4 passwords to log on to your local system, a database or even a secured room. Though many people don't require a logon for their home......[read more]

Tracked: September 1, 2005 10:44 PM


This is for PP'ing a whole weblog -- but I suppose this would not work if I wanted only a single category [the ever so favourite "private", say] to be protected? In which event I'd have to design a "login" area that displays in the post instead of the actual text. Or something like that.

Just thinking...

Hi Mademoiselle, what I would do is have separate directories for each category and then just add a .htaccess to the category that you want to protect via FTP. You can create separate category directories through the naming convention - see

Hi- This works great. Thnx Elise!

You can also use this method to protect a single file also. See this turotial:

I'd be VERY careful using a password generation site. It's not a good idea to use an online form to enter both your username and a password for your server (data) et cetera. If the person running the site can track down (perhaps by IP...), then they may be able to use your username and password (that was entered into their online form).

Hi Betty,
What would you suggest as an alternative?

Hi Elise,

I apologize for not providing an alternate, more secure means of making a .htpasswd file.

If you have root access to your server, SSH to it, change to the directory you wish to create the .htpasswd in and type "htpasswd -bc .htpasswd username password" (without the quotes; replacing username with your username and password with your desired password).

The "c" mean "create a new file" and the "b" means "use the password given in the command line (rather than prompting for it."

If you do not have access to your server, I suggest you have your server admin do this for you.

I highly recommend that you do not use a third-party web form or any other unknown source to do this.


Hello Betty,

So you are suggesting that the risks of using a web-based form for encrypting passwords outweighs the risk of using an unencrypted password file. Fair enough.

Please clarify something for me. The IP address that would show up as a statistic on the site that hosts a form has to do with the internet connection I use to access the Internet. My website files are hosted by a web hosting company that has no connection whatsoever to the IP address from my Internet connection. So, even if someone knew my IP address for my web-surfing Internet connection, how would they know my website?

Is this security issue more of a concern for people whose web-surfing computer and website server share the same IP address?

Hi Elise,

Who said anything about using a non-encrypted password file?

The "htpasswd" command performs the actual creation of an encrypted .htpasswd file. [It is undoubtedly the same program that is being called from that server in europe where the cgi form is being called from.] The htpasswd way that I recommended above, is the actual way to create these encrypted password files. It is not some guy's website form that is the source for this. [By the way, there are 3 forms of encryption available with this command - one is set by default, the other two may be called by passing parameters...]

About the IP... It would be easier for someone to use your username and password (from that online form), if the IP that you are visiting from is the same as the IP of your server. However, there are ways to make the association. Let's say that you've posted to a blog, forum, or some other public place and have indicated what your domain name is, if someone can search on the IP used in that guy's web form, and find another instance of your IP in a public bbs (forum), or email header..., then they can read in the forum (or whatever) about where your blog/server/site is, and go to it and use your username and password.

That is probably clear as mud, I know. And, it is probably rare that it would happen.

I'm sure there are other ways to find out from your IP where you normally connect to...if someone really wants in.

The point is: as a general security precaution, it is not advisable to use some unknown person's web form to generate your password, especially when a username is also given.

Anyway, just my two cents.


Hi Elise --

How about using a MT template to maintain .htaccess (and even htgroup but probably not htpasswd)?

That adds the flixbility of using MT tags in the file, eliminates steps outside the MT system, and even gives my bloggers control of the file without me needing to give them ftp access.

Hi Elise, do you know if setting up different directories for each category will affect anything when I import content into my blog, or does MT 3.2 just see the category, and like Rosie the Maid, put "everything in it's place?"



Post a comment

(Before posting a comment please see the Comments and Trackbacks Policy. Do you need help troubleshooting your weblog? Please post questions and requests for support at the MT Support Forums. Thanks!)

Remember Me?

(you may use HTML tags for style)

Email to a friend

Email this article to:

Your email address:

Message (optional):