(510) 843-6389   1700 Martin Luther King Jr. Way Berkeley, CA 94709 support@lmi.net

How to Password Protect a Website

NOTE: If your website is hosted on either fuggle.lmi.net or nugget.lmi.net these instructions do NOT apply.

Technically what you do is password protect a directory in your Web site. If you password protect your document root directory (/usr/home/your_login/www/docs) then you are password protecting your whole site. But you may choose to only password protect a subdirectory of your Web site.

Briefly, you will need to edit a configuration file for your virtual server (kato sites only), create a file called “.htaccess” (this file will reside in the directory that you want to protect), and create the file containing the login names and passwords of authenticated users (this file is usually called “.htpasswd”).

Before you get started, you must know how to Telnet into your server and be familiar with the vi or pico text editors.

STEP 1: First you must set the configuration in your Web server to allow password protection. The file that contains this directive is:


(Substitute the login name on the Web server for “your_login”.)

Find the part of the file that contains the directives for your Document Root directory. It typically looks like this:

<Directory "/usr/home/your_login/www/docs">

Below that line you will find various comments (comments are preceded by a pound [#] sign) and directives that are specific to your Document Root directory.
Go to this part of the directives:

# This controls which options the .htaccess files in directories can
# override. Can also be "None", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"

Just below those comments you’ll see a line that contains this directive:

AllowOverride None

Change the word “None” to “AuthConfig” so that the line reads

AllowOverride AuthConfig

Save the changes and quit out of the file. (If it already read “AllowOverride AuthConfig” you need to nothing, just quit out of the file.) Then restart your virtual server by typing the command “usrserv reset”.

2. Next, decide what directory you want restricted access to. You can create one just for this purpose (make sure it is inside your www/docs directory). Go to that directory, and create a file called “.htaccess”. Enter the following text in it:

AuthGroupFile /dev/null
AuthType Basic

<Limit GET POST>
require valid-user

For example, I created a directory inside my www.4-2-0.com’s docs directory called testaccess (/usr/home/bigbhs/www/docs/testaccess). Inside that directory I created a file called .htaccess and this is what is in that .htaccess file:

AuthUserFile /usr/home/bigbhs/www/.htpasswd
AuthGroupFile /dev/null
AuthName "The 4-2-0 Secret Club"
AuthType Basic

<Limit GET POST>
require valid-user

3. Now go to the directory where you want to put the .htpasswd file (it should be the path that you put in the first line of the .htaccess file). NOTE: Do not put the .htpasswd file in the /usr/home/your_login/www/conf/ directory – this will not work! Also do not put it in /usr/home/your_login/www/docs/ directory or any subdirectory thereof – that is insecure.

Put it in /usr/home/your_login/www/ or perhaps create a directory such as /usr/home/your_login/www/passwd/ and put it in there.

When you are in the directory where you want the .htpasswd file, type this at the prompt:

htpasswd -c .htpasswd <firstusername>


htpasswd -c .htpasswd bobbysue

The program will prompt you for a password, then verify by asking again. You will not see the password when entering it. This creates the .htpasswd file and adds “bobbysue” as the first user. To add more users in the future, use the same command without the -c argument, i.e.:

htpasswd .htpasswd billyjoe

This will add username “billyjoe” to your .htpasswd file.

To delete users, open the .htpasswd file in a text editor and delete the appropriate lines:


(The password has been encrypted.)

For my example I am restricting access to this URL:


I created the directory “testaccess” and in it I put my .htaccess file.

When you go to the above URL you should get a prompt that says:

“Enter username for The 4-2-0 Secret Club at www.4-2-0.com”

Try the username: user1
And the password: qwerty

That should get you in!