« Speed up your site with Caching and cache-controlSecurity with Apache htaccess Tutorial »
Apache Authentication in htaccess
How to password-protect, Allow or Deny a visitor based on a condition. If you are having trouble getting htaccess-based password protection to work see: Troubleshooting htaccess Authentication: Getting it to work
Generate Your authentication htpasswd files with my free Online Password Generator!
« Speed up your site with Caching and cache-control | .htaccess Tutorial Index | » Security with Apache htaccess
<Files login.php> Order deny,allow Deny from all AuthName "htaccess password prompt" AuthType Basic AuthUserFile /home/askapache.com/.htpasswd Require valid-user </Files>
<FilesMatch "^(exec|env|doit|phpinfo|w)\.*$"> Order deny,allow Deny from all AuthName "htaccess password prompt" AuthUserFile /.htpasswd AuthType basic Require valid-user </FilesMatch>
Order deny,allow Deny from all Allow from 10.1.0.0/255.255.0.0
Order deny,allow Deny from all Allow from 10.1.2.3
Order deny,allow Deny from all Allow from 192.168.1.104 192.168.1.205
Order deny,allow Deny from all Allow from 10.1 Allow from 10 172.20 192.168.2
Order deny,allow Deny from all Allow from 10.1.0.0/16
Order deny,allow Deny from all Allow from 2001:db8::a00:20ff:fea7:ccea Allow from 2001:db8::a00:20ff:fea7:ccea/10
Order Allow,Deny Allow from apache.org Deny from wireshark.apache.org
Order deny,allow Deny from all AuthName "htaccess password prompt" AuthUserFile /home/askapache.com/.htpasswd AuthType Basic Require valid-user Allow from 172.17.10.1 Satisfy Any
I use this when I start a new site, and uncomment or delete parts of the file depending on the sites needs
#
# DEFAULT SETTINGS
#
Options +ExecCGI -Indexes
DirectoryIndex index.php index.html index.htm
ErrorDocument 400 /cgi-bin/error.php
ErrorDocument 401 /cgi-bin/error.php
ErrorDocument 403 /cgi-bin/forbidden.cgi
ErrorDocument 404 /404.html
ErrorDocument 405 /cgi-bin/error.php
ErrorDocument 406 /cgi-bin/error.php
ErrorDocument 409 /cgi-bin/error.php
ErrorDocument 413 /cgi-bin/error.php
ErrorDocument 414 /cgi-bin/error.php
ErrorDocument 500 /cgi-bin/error.php
ErrorDocument 501 /cgi-bin/error.php
### DEFAULTS
ServerSignature Off
AddType video/x-flv .flv
AddType application/x-shockwave-flash .swf
AddType image/x-icon .ico
AddDefaultCharset UTF-8
AddLanguage en-US .html .htm .txt .xml .php
SetEnv TZ America/Indianapolis
SetEnv SERVER_ADMIN webmaster@askapache.com
### PHPINI-CGI
#AddHandler php-cgi .php
#Action php-cgi /cgi-bin/php5.cgi
### FAST-CGI
#AddHandler fastcgi-script .fcg .fcgi .fpl
#AddHandler php5-fastcgi .php
#Action php5-fastcgi /cgi-bin/fastcgi.fcgi
#
# HEADERS and CACHING
#
# 1 YEAR
<FilesMatch "\.(flv|ico|pdf)$">
Header set Cache-Control "max-age=29030400, public"
</FilesMatch>
# 1 WEEK
<FilesMatch "\.(jpg|jpeg|png|gif|swf)$">
Header set Cache-Control "max-age=604800, public"
</FilesMatch>
# 3 HOUR
<FilesMatch "\.(txt|xml|js|css)$">
Header set Cache-Control "max-age=10800"
</FilesMatch>
# 1 MIN
<FilesMatch "\.(html|htm|php)$">
Header set Cache-Control "max-age=0, private, no-store, no-cache, must-revalidate"
Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"NOI DSP COR NID CUR ADM DEV OUR BUS\""
Header set imagetoolbar "no"
</FilesMatch>
#
# REWRITES AND REDIRECTS
#
### SEO REDIRECTS
#Redirect 301 /ssl-ns.html /2006/htaccess/apache-ssl-in-htaccess-examples.html
#Redirect 301 /ht.tml
#Redirect 301 /index.html /
#RedirectMatch 301 /2006/htaccess-forum/(.*) /2006/htaccess/$1
#RedirectMatch 301 /(.*)rfc2616(.*) http://rfc.askapache.com/rfc2616/rfc2616.html
#RedirectMatch 301 /phpmanual(.*) /manual/en/$1
### REWRITES
RewriteEngine On
RewriteBase /
### WORDPRESS
#<IfModule mod_rewrite.c>
#RewriteEngine On
#RewriteBase /
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule . /index.php [L]
#</IfModule>
### REQUIRE WWW
#RewriteCond %{HTTP_HOST} !^www\.askapache\.com$ [NC]
#RewriteRule ^(.*)$ /$1 [R=301,L]
### STOP LOOP CODE
#RewriteCond %{ENV:REDIRECT_STATUS} 200
#RewriteRule ^.*$ - [L]
### REDIRECT BLOG FEED TO FEEDBURNER
#RewriteCond %{HTTP_USER_AGENT} !^.*(FeedBurner|FeedValidator|Recent) [NC]
#RewriteRule ^feed/?.*$ http://feeds.feedburner.com/apache/htaccess [L,R=302]
### BLOCK WGET
#RewriteCond %{HTTP_USER_AGENT} ^Wget.* [NC]
#RewriteRule .* /cgi-bin/forbidden.cgi [L]
#
# AUTHENTICATION
#
### BASIC PASSWORD PROTECTION
#AuthName "Prompt"
#AuthUserFile /home/askapache.com/.htpasswd
#AuthType basic
#Require valid-user
### UNDER CONSTRUCTION PROTECTION
#AuthName "Under Development"
#AuthUserFile /home/askapache.com/.htpasswd
#AuthType basic
#Require valid-user
#Order Deny,Allow
#Deny from all
#Allow from 23.23.23.1 w3.org googlebot.com google.com google-analytics.com
#Satisfy Any
« Speed up your site with Caching and cache-control | .htaccess Tutorial Index | » Security with Apache htaccess
« Speed up your site with Caching and cache-control
Security with Apache htaccess Tutorial »
The love of liberty is the love of others; the love of power is the love of ourselves.
-- William Hazlitt
The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee
Your “Allow from IP without password prompt, and also allow from any address with password prompt” example is exactly what I was looking for. Thank you!
I am encountering a problem where I get a 404 page every time I put Require valid-user into the .htaccess of a folder. Any ideas why this might be happening?
Great article, thank you!
Bobby, create an .htaccess file in your wp-admin directory following the contents listed in “Allow from IP without password prompt, and also allow from any address with password prompt”.
The “Allow from 172.17.10.1″ should contain your static IP address if you have one, or that of your client if you are building this site for someone else to access. Of course, you can add more than one line in that format. It will allow anyone arriving from an IP in the Allow statement(s) to access the WPAdmin login screen without having the enter the Apache Username/Password combination. Everyone else will be stopped at the Apache login screen, and if they authenticate there they will then receive the WP login screen. I do this on over 100 WP sites.
I’m trying to use apache authentication as added protection to the password protected admin section of one of my sites. The site’s using WordPress. What’s happening is when I access the admin section the .htaccess file in that directory isn’t executing. Well, it will throw errors but if all’s fine it passes back to my root .htaccess which then displays the 404 page. If I remove the .htaccess from my admin directory I can once again access my login page. Any ideas? I’m stumped.
Hi,
I encountered this problem.
I have .htaccess file:
AuthType Basic AuthName "RestrictedFilesmain" AuthUserFile "d:\Program Files\Apache Group\Apache2\htdocs\main\conf\c.htpasswd" ErrorDocument 401 "ERROR_ 441 Authorization Required" ErrorDocument 403 "ERROR_ 403 Forbidden" ErrorDocument 404 "ERROR_ 404 Not Found" Require user loggeduser Require user chris
and c.htpasswd file
loggeduser:10144831511059024327 chris:a2wssd
When I log in into the protected page for the first time I enter chris:a2wssd and I am allowed to enter the page. Next I change password in the c.httpasswd file into a2ws4ss. And I still have access to the page just using refresh button in my Firefox browser.
It looks like the Apache server didn’t notice that I have change the password value in the mean time. What’s wrong? I need to stop immediately the access to the protected page by changing the password in the file.
Regards chris
Thanks for the snippets, I pasted them into my blog since I tend to forget them very easily :)
Just one question: why do you think it’s better to put ErrorDocument override in .htaccess files rather than vhost definitions?
I place them in vhost definition files because they don’t ever change (almost). I guess it’s just a matter of personal taste though
Thanks mate :)
Regarding “Require password for 1 file only”, shouldn’t this:
AuthName "htaccess password prompt" AuthType Basic AuthUserFile /home/askapache.com/.htpasswd Require valid-user
be this:
AuthName "htaccess password prompt" AuthType Basic AuthUserFile /home/askapache.com/.htpasswd Order deny,allow Deny from all Require valid-user
Your example allowed anyone on in two of my systems because of lack of a deny clause. Adding the two lines solved it.
I deactivated the plugin, tried to modify the .htaccess in wp-admin, but still cannot get into my admin panel. Help!!!!!!
Tags: 301 Redirect, 302 Redirect, 401, 403 Forbidden, 404 Not Found, 500, admin, Analytics, Apache, Apache Htaccess, apache ssl, askapache, Cache, Cache-Control, caching, CSS, errordocument, Examples, feed, FeedBurner, FilesMatch, Flash, GET, Google, Hacking, Htaccess, htaccess guide, htaccess tricks, htaccess tutorial, Htpasswd, HTTP Headers, HTTPS SSL, Login, Mod_Rewrite, Mod_Rewrite examples, Mod_Security, password, password protection, PDF, PHP, phpinfo, Prompt, Redirect, Rewrite Tricks, rewritecond, rewriterule, Security, SEO, server, servers, SetEnvIf, SPEED, stat, trick, tutorial, ultimate htaccess, Wget, Wireshark, WordPress,
It's very simple - you read the protocol and write the code. -Bill Joy
HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group.
POSIX ® is a registered Trademark of The IEEE.
i found this to be an informative and interesting blog.. very useful and knowledge able. Thank you for the efforts you have made in writing this authentication article. Your writing abilities have inspired me..