How do I password-protect my website using .htaccess?

After a long time...I needed to refer to this info....Good & useful info...

How do I password-protect my website using .htaccess?

Htaccess can be used to password-protect directories on your web site. All files and any subdirectories within a directory protected by htaccess will also be protected. So, if you wish to protect your entire web site, simply setup htaccess in your public_html directory (the root of your web site). However, if you only wish to protect certain directories, you may do so separately.

1. Change to the directory that you wish to protect
In the following example we wish to protect a directory called private in our public_html directory.

torch: ~$ cd public_html/private
torch: ~/public_html/private$
You also need to know the fully qualified path of the directory you wish to protect. So, from this directory, type pwd and remember the fully qualified path (you will need it in step 4).

torch: ~/public_html/private$ pwd
/users/cs/johndoe/public_html/private
torch: ~/public_html/private$
In the above example, the fully qualified path is /users/cs/johndoe/public_html/private.

The remaining steps in this guide assume we are still in this directory.

2. Create a file named .htaccess
Use your favourite editor to create a file called .htaccess (note the period at the beginning of the filename). In the below example we will use pico.

torch: ~/public_html/private$ pico .htaccess
3. Add the appropriate lines to the .htaccess file.
Using the editor you chose in step 2, input the following. You will need to modify the first 2 lines to match your configuration (see modifications below).

AuthUserFile /users/cs/johndoe/public_html/private/.htpasswd
AuthName "Title for Protected Site"
AuthType Basic


require valid-user

Modifications:

Beside AuthUserFile, put the fully qualified path you obtained in Step 1, with /.htpasswd immediately following it. The above example shows /users/cs/johndoe/public_html/private/.htpasswd
Beside AuthName, input the words or phrase that you wish to appear as the title for the username/password input box. An image of what this looks like can be seen below.

4. Create the .htpasswd file by adding users
Next use the htpasswd command to create your password file and username/password pairs:

torch: ~/public_html/private$ htpasswd -c .htpasswd bob
New password:
Re-type new password:
Adding password for user bob
torch: ~/public_html/private$
This creates the .htpasswd file and the username bob. You will then be prompted for a password for bob, which will be stored in the .htpasswd file (note that it will be encrypted in this file for security).

So, to create new users and change the password for existing users, switch to the protected directory you wish to add a user for, and type htpasswd -c .htpasswd username

torch: ~$ cd public_html/private
torch: ~/public_html/private$ htpasswd -c .htpasswd username
5. Set the permissions on your .htaccess and .htpasswd file
Finally, from within your protected directory, make both the .htaccess and .htpasswd files world-readable. You can do this with the command chmod a+r .htaccess .htpasswd.

torch: ~/public_html/private$ ls -al
total 10
drwxr-xr-x 2 johndoe csugrad 512 Jan 7 14:30 .
drwxr-xr-x 8 johndoe csugrad 512 Jan 7 11:50 ..
-rw------- 1 johndoe csugrad 156 Jan 7 12:05 .htaccess
-rw------- 1 johndoe csugrad 18 Jan 7 11:59 .htpasswd
torch: ~/public_html/private$ chmod a+r .htaccess .htpasswd
torch: ~/public_html/private$ ls -al
drwxr-xr-x 2 johndoe csugrad 512 Jan 7 14:30 .
drwxr-xr-x 8 johndoe csugrad 512 Jan 7 11:50 ..
-rw-r--r-- 1 johndoe csugrad 156 Jan 7 12:05 .htaccess
-rw-r--r-- 1 johndoe csugrad 18 Jan 7 11:59 .htpasswd
torch: ~/public_html/private$
Above we can see that the permissions on .htaccess and .htpasswd change from -rw------- to -rw-r--r--.

All done!
Now, anytime you attempt to view your protected directory, any file within it, or recursively any subdirectory of it, you will be prompted for a username and password. Please refer back to Step 4 if you wish to add more users or change a user's password.

Troubleshooting / Common Problems
Below are the most common problems experienced by users attempting to setup htaccess.

Permissions on both .htaccess and .htpasswd - Both the .htaccess and .htpasswd files need to be world readable. Please refer to Step 5 to ensure this has been done properly.
Fully qualified path to .htpasswd incorrect - The correct fully qualified path to a valid .htpasswd file must appear beside AuthUserFile in the .htaccess file. Please refer to Step 3 and verify this is correct.
The username doesn't exist in .htpasswd - When attempting to login as a user, they need to have been correctly added to the .htpasswd file using the htpasswd command. Please refer to Step 4 to double-check.
How do I remove htaccess protection?
To remove htaccess protection, simply delete or rename the .htaccess file in the directory you wish to remove protection from. The below example shows how to rename .htaccess to .htaccess-old.

torch: ~/public_html/private$ mv .htaccess .htaccess-old
Security Concerns
Should I be using .htaccess to protect highly sensitive data?
If you decide to protect something using .htaccess, be sure to understand one thing: the protection of your data relies upon the web server configuration. This means if the configuration changes, it might be possible for someone to retreive your data. As a general rule, it's bad practice to place anything highly confidential or critical on a web server, period. There are numerous other options for storing and accessing sensitive data. Always remember, the web was originally designed for public access, and so access control is really an addition.

Username/Password Transmission
If the page you are protecting is http and not secure http, then your username and password will be sent across the network in plain text. A secure http address is always prefixed with https:// instead of http://. If you are accessing any site through http://, you should be aware that it is possible for someone to capture your traffic and extract your password. A good guideline to follow is ensuring that all htaccess passwords do not correspond with any other passwords. Do not forget that you are solely responsible for keeping your password private.

Your Work or Your Life - Excellent Article...

How to overcome the conspiracy against work-life balance.

If you want your life to be more than a series of meetings, emails and business trips, you are not alone. Balancing work responsibilities and personal lives is an objective in almost every one of my executive coaching relationships. Jack Welch has said in recent articles and interviews that he believes that great managers don't have work-life balance issues because they have the necessary "systems" in place. Even with a stay-at-home spouse and legions of personal assistants, this is a ridiculous comment. The only managers who don't have work-life balance issues are those who have given their lives to the company or who aren't telling anybody about the strain.

Your boss wants, in Welch's words, "to make your job so exciting that your personal life becomes a less compelling draw." You may wish that your boss embrace the "whole you" (and not view your children as competition), but most executives think of work-life balance as something that has to be "dealt with" - similar to a physical or emotional handicap. According to Welch, the typical boss is willing to "accommodate work-life balance challenges if you have earned it with performance." The implication is that you trade your life to earn the chits so that you can buy it back at some future time.

Unfortunately, this strategy doesn't really work for many of you because by the time you realize that you have problems with work-life balance, your habits, expectations, responsibilities and relationships (or lack thereof) have hardened. You have created your own "system" - that is, the combination of your organization's culture, your position and your work habits - that works well as long as you continue to put your job first and everything else second, third or not at all. This system is tuned for long hours away from home. Thus your spouse, children, church and community have become accustomed to your absence and have developed routines that require your funding but make your day-to-day involvement unnecessary.

It's important to realize that work-life balance is not about having more free time. It's about living a fuller, richer life that is more enjoyable and more significant. It means putting work in proper perspective as one of the things that you do and aspire to be great at, but not who you are. Work-life balance doesn't necessarily mean working fewer hours - everyone, including CEOs, works for others and has demands beyond their control - but it does mean gaining control over when, where and how work is done.

If you are one of the many whose narrowed world view consists primarily of work and sleep, the process of recalibrating your system to define yourself beyond your job is difficult. The key to regaining or retaining balance is making external commitments that appear on your calendar and treating them with the same level of dedication you give to your work. Welch speaks the truth that, within most companies, "work-life balance is your problem to solve" and "people who publicly struggle…get pigeonholed as ambivalent, entitled, uncommitted, incompetent." This means that, for most of you, work-life balance needs are a dirty little secret that you need to keep to yourself and resolve on your own.

Rather than letting work expand to fill all your time, set limits. Take advantage of the fact that companies and managers value results rather than effort, figure out how to work smarter (see my previous column, "It's Never Too Late for Time Management") and how to manage up, and stand your ground. When someone tries to impinge on an external commitment, adopt the mantra "Don't complain, don't explain." Just let them know how much time you have and work it out from there.

Those of you in your twenties have the opportunity to build balance into your work-life schedule from the beginning. Continue or incorporate the extra-curricular activities that you enjoyed in college (at least the healthy ones). If you eventually get married and have children, you will need to give up some of these activities, but you will have "hard-coded" a system that will not require you to change companies, positions or a career path to become the spouse and parent you wish to be. Be aware, however, that if you do this, it will impact the companies you choose and the positions you aspire to.

A balanced life may result in a slight tarnish on your managerial star or even the realization that you are in the wrong job or wrong company - but what's the alternative? For all the passion you put into your work and the joy that you get from creating and collaborating with others, at the end of the day, it's just a job - it doesn't hug you when you are sad and it won't take care of you when you get old.

Most of us are not destined to and don't want to become the next Jack Welch. Good thing, because even he sounds a little melancholy when he says that "my kids were raised, largely alone, by their mother" and advises us that when it comes to work-life balance, to do as he says, not as he did.

Susan Cramm, former CIO and vice president of IT at Taco Bell and CFO and executive vice president at Chevys, a Taco Bell subsidiary, is president of Valuedance, an executive coaching firm based in San Clemente, Calif. You can contact Susan at susan@valuedance.com and learn more about Valuedance at www.valuedance.com.