by Harry Kenney
Sometimes the easiest thing seems nearly impossible – especially when it's something we've already decided beforehand is too difficult to even attempt. With me, that turned out to be the .htpasswd file and all the accompanying "mystical, technical whatevers" that also went into making one. But, much like the Seuss's tale of Green Eggs and Ham, once I finally actually looked into it – and found the right tools and a couple of good examples – it turned out to be relatively simple. Yes, even you can do it!
So, here then is how to protect your directories. In fact, we'll go through the normal method plus a very sweet way of doing it in PHP as well. (No, don't be intimidated by that!) Again, trust me, this is easy as pie. If I can do it, you can too.
The Basics
First, you need two files, .htaccess and .htpasswd. (Ok, let's mention that yes, those are the file names. Not the extensions. They do start out with a dot on the front and nothing else before them. Don't let it freak you. That's just how it is.)
Now to create these all you need is a text editor. However, if you have an HTML editor that saves files in UNIX that would be all the better. Ok, what does this mean exactly? It means some text editors add an additional end of line code, often invisibly; it's an old DOS hold over and it can stop that same file from working on a UNIX server. Note: You do NOT want to create these files in FrontPage or DreamWeaver or any other "fancy" editor, no word processor programs either, because it will mess it up worse than Windows NotePad ever will by adding tons of extra, unneeded code.
Myself, I use HomeSite. I have long heard that TextPad is another very good one. There are also many other freeware ones, among those highly recommended elsewhere seem to be NotePadPlus and Nvu.
Ok another thing, if you're doing this on a PC, your text editor or HTML editor may force the file you save to end in .txt or .htm or something. If so, just let it. Afterwards you can rename it from "htaccess.txt" (or whatever it got called) to ".htaccess" either on your computer prior to uploading, or upload it to the server and then rename it there.
.htaccess
Got all of that? Then let's get to it. This code here below can serve as your .htaccess file template. Copy it, paste it, make the necessary changes.
<![CDATA[AuthName "Label You Want Here"
AuthType Basic
AuthUserFile /web/sites/youraccount/domain.com/mydirectory/.htpasswd
require valid-user]]>
If you already have an .htaccess file, then add or appendum the above into that file. You may have one already as .htaccess can perform many functions, including 404 redirects among other things. If you don't have one, then just copy the above into your editor, make the adustments needed and save as .htaccess. The line that starts out with "AuthUserFile" will be the server path to the directory you want protected. Both the .htaccess file and the .htpasswd file you will create will both go into that server directory.
Remember because the .htaccess file can do other things, you can have an .htaccess file without having an .htpasswd file. However it does not work the other way around; an .htpasswd file requires there to be an .htaccess file to tell the server where to find it. The other thing to remember is these files "work down", meaning they protect not only the directory you put them in, but also any subdirectories. (If you ever hear a techie speak, they will say "child directories" and "parent directory", which means the same thing as the directory you're in and it's subdirectories or subfolders).
If that sounds at all confusing, it means simply that it would protect not only /mydomain.com/thisdirectory/ but also /mydomain.com/thisdirectory/one/ and /mydomain.com/thisdirectory/two/, etc. But it will not protect anything to side of nor above it, such as /mydomain.com/ or /mydomain.com/thatdirectory/
.htpasswd
Here's the magical file where users are put in and passwords are encrypted for protection. Do you need to know encoding? Heck no. To create the .htpasswd file, I use the free tool at Mainstream Webmasters: .htpasswd maker
Type in your name and the password you want, and it does the encryption for you. Copy the resulting line into a file. If you have multiple users, repeat the step and paste each on a separate line, such as this:
Guido:sDK33NPSnvonU
Norma:NFAgrHPnYTUJc
You will have to remember or write down your password (and no, no reminders in the file, not only will it not work, but it will give you a security hole.) The opposite of what you are trying to achieve. And no, there is no reversing the encrypted password to see what it was before. That's part of the security. So if you ever forget what it was, you'll just have to make a new password file from scratch.
Now that you've taken the line or lines produced by the password maker, save that file as .htpasswd. FTP both of them as ASCII to your directory, test, and viola.
Btw, there are other handy tools at the above site. Sometimes when you're trying to think of a password it's tough. The stranger you go, the better. So rather than put in your dog's name or something else that's common place and could either be guessed at or cracked through a hacker running words through a dictionary program, it's much better to do have passwords like: 4hP1ojjd or PQF9hMEz. Where does one come up with stuff like that? Another very handy webmaster tool: the random password generator
Ok, that's pretty much it; this article could easily end right here. But, you're jazzed now, aren't you? Admit it. Yes! That really was a whole lot easier than you could have imagined right? All it requires is the right tools and maybe a little explanation and an example. But wait, you're still jazzed, right? So then, what's next? Next is only one slight step more advanced (and I do mean slight). Again, if you couldn't do it easily I would not include it here.
There are times when you need extra security but you can't protect the entire directory, just a single file, and not an average one, but a script file. Don't get weak-kneed now. (Jazzed, remember. You can do this!) And that brings us to ...
PHP Auth
Below is a PHP code snippet that you can drop into almost any PHP script and make things more secure. For me, I was tired of various exploits messing up my own portal. I has also, a while back, made soooo many text modifications and put in so many addons and plugins and such that that updating to a new version was basically impossible (or in manhours, certainly impractical). In short I needed extra security.
The big problem was the script didn't have it's own separate /admin directory. It's one of those where everything is in the same directory, the area for the users and for the administration as well. You've seen scripts like this, and you probably have one like it too; you know, where the login URL goes something like: http://www.mydomain.com/admin.php?s=login So, without keeping out all the users I want visiting my site, there was no way to do the .htpasswd protection.
Or was there? Enter my programmer friend and his snippet for using PHP's Authorization function. Again, this is easy. If you've never altered a programming file (one ending in .php, for instance), this should still not scare you. Again, even I could do it.
<![CDATA[if (!isset($_SERVER['PHP_AUTH_USER']))
{
header('WWW-Authenticate: Basic realm="YourLabelHere"');
header('HTTP/1.0 401 Unauthorized');
echo 'You are not authorized to view this page';
exit;
}
else
{
$userin=$_SERVER['PHP_AUTH_USER'];
$passin=$_SERVER['PHP_AUTH_PW'];
if ($userin==='username_goes_here' and $passin==='password_goes_here')
{
}
else
{
header('HTTP/1.0 401 Unauthorized');
echo 'You are not authorized to view this page';
exit;
}
}]]>
Now, if another exploit, hack, program hole or whatever lets somebody get in, they will be further blocked by having an additional login to contend with. Fool proof? Probably not. But it's like having the big red "club" on your car steering wheel or brake. If it doesn't stop them in and of itself, it might stop them just because there are other less secure cars (or in this case, sites) that can be broken into. And if the hackers are using a robot to do their work, it won't expect something that few other copies of the same script everywhere else has. Either way, it's yet another lock on the door. And, as you see easy to add.
The snippet goes at the top of the script file. Not the very top, the top of every PHP file needs to start with «?php So below there and above any other coding is perfect. There's just the three places to make changes in the snippet: the Auth Label once again, and naturally the username and password. Unlike .htpasswd there is no encryption here. And so it's another good place to use the random generator mentioned above to come up with a strange name. The one nice thing about this particular file is if you do forget your password, you (but not strangers) can FTP in and view the file. Don't let this concern you, as remember your script no doubt already has it's own admin login routine; this just adds an important second "lock on the door". Oh and one other important difference from the standard .htpasswd method to is remember this protects this file only – period; not the directory, not any other file in the directory nor any subdirectories.
Back it up!
Finally – and this by now is knee-jerk, automatic for me, and it should be for you and everyone else too – always always always make backups before editing a file. Just in case. This way, you can't ever go wrong. Or rather, if you do mess up, it's very short-lived, as opposed to devastating.
Harry Kenney is one of the owners of the Mainstream Webmasters ecommerce resource and admin of the webmaster forums there.
