Comments on: How to password protect a web site?

Question: How to password protect a web site?

freddymungo — Tue, 17 Jul 2007 23:35:05 -0800

I only want some specific people to be able to read my family website, so I have a two-pronged website password protection question.

I would like to password-protect a website run by Wordpress. It shouldn't be indexable or searchable or even readable to anybody who doesn't know the password I'd send out to the people who would read it-- basically a family blog, for just the family and friends to read.

First, ideally the front page should just have one password field to fill out, and then they'd click okay and be able to do everything like it wasn't password protected-- no special user page or anything, which is what I get when I sign in to Wordpress with a "subscriber" account.

Second, I'd like for people to only have to fill in the password box once. It'd be nice if their putting in the right password would approve their IP address to read it, so every time they came back on that computer it'd skip right to the normal web site.

So, all that family or friends would have to do to read it would be to have the address bookmarked and enter the password once.

Are either of these things possible, and if so, what's the easiest way to do them? Failing that, any other possibilities are welcome.

By: null terminated

null terminated — Tue, 17 Jul 2007 23:39:36 -0800

Basic Authentication has the benefit of allowing access in the form:

http://user:pass@yoursite.com

If you set this up using .htaccess, you could fill out the username and password and give your friends and family the link with the username/password already entered. No one else would be able to access the site and the people you gave the link to would never need to enter the password.

By: flabdablet

flabdablet — Tue, 17 Jul 2007 23:49:06 -0800

Don't tie authentication to an IP address. If any of your intended users are on dynamically assigned IP's, Bad Things will happen. Use a cookie, just like Mefi does.

By: freddymungo

freddymungo — Tue, 17 Jul 2007 23:50:35 -0800

I use Filezilla so the tutorial lost me at creating the .htpasswd file. Other than that, it seems to be just what I'm looking for...

By: KokuRyu

KokuRyu — Tue, 17 Jul 2007 23:58:33 -0800

This is a great thread. I'm also trying to set up a blog that is only visible to certain users, but the password-per-post method seems fairly inelegant.

I know that Vox has better privacy controls than does WordPress, but Vox's UI is kind of...dumb looking.

By: null terminated

null terminated — Wed, 18 Jul 2007 00:00:53 -0800

freedymungo: There are a few online tools that will generate the data needed to put in the .htpasswd file.

Here's one.

That will let you generate a username and password pair. If you copy that into a file named .htpasswd and make sure the htaccess file points to it, it should work.

By: null terminated

null terminated — Wed, 18 Jul 2007 00:02:46 -0800

Another helper site. One more.

By: dance

dance — Wed, 18 Jul 2007 01:31:03 -0800

@null terminated

Hasn't IE had inURL user:pass login disabled since 2005? Not that I'm an IE user, but freddymungo's family/friends could be.

By: adamrice

adamrice — Wed, 18 Jul 2007 06:49:25 -0800

It looks like there are a few Wordpress plugins that do add this feature, basically by taking advantage of the user-level feature that is built into Wordpress (but easy to overlook). This one seems pretty flexible. You can restrict certain categories to certain user levels, which seems like the easiest "fire and forget" method.

By: jon4009

jon4009 — Wed, 18 Jul 2007 06:54:58 -0800

Hasn't IE had inURL user:pass login disabled since 2005? Not that I'm an IE user, but freddymungo's family/friends could be.

Yep it's been disabled for a long while. See this page for their explanation. You can re-enable it with a registry hack (described on the page) but I don't think that's advisable for his target audience :)

As for original question, you could always use LiveJournal or something similar; it allows you to restrict posts to groups of users, and already takes care of the whole authentication thing for you. I have a feeling they may even support using your own domain name, if that's what you're after.

By: null terminated

null terminated — Wed, 18 Jul 2007 07:54:05 -0800

dance: Thanks, I didn't know that. Nevermind then.