Password Protection for PHP Applications

If you need password protection for a PHP+Apache application that does not provide its own authentication then you can use Apache HTTP authentication as an alternative.

Note: this feature is not available for PHP-FPM+Nginx applications. It is only for PHP+Apache and the corresponding symlink app types.

To do so:


Log into a SSH session as your application's shell user.


Run the following commands to create the password file. This example will use myuser as the shell user name, myapp as the application name, and webuser as the name of the HTTP authentication user.

cd ~/apps/myapp
htpasswd -c .htpasswd webuser

Enter the password for webuser twice as prompted.


Add the following to your application's .htaccess file (if your app does not have a .htaccess file you can run touch ~/apps/myapp/.htaccess to create it):

<Files .*>
  Order Allow,Deny
  Deny from all

AuthUserFile /home/myuser/apps/myapp/.htpasswd
AuthName MyApp
AuthType Basic
require valid-user

If you need to create additional HTTP authentication users for your application, you can re-run the htpasswd command without the -c flag like so:

htpasswd .htpasswd anotheruser