In order to effectively use Website Access Manager, it’s necessary to understand how the software and the underlying process work.

Looking for detailed but easy-to-understand information about how .htaccess files work? Take a few minutes to read the CoffeeCup .htaccess Handbook. This comprehensive booklet answers all your questions about using .htaccess files in plain English.

.htaccess Basics

Website Access Manager uses these nifty things called .htaccess files to password protect your website. This process actually involves two files: .htaccess and .htpasswd. The .htpasswd file contains username and password combinations separated by a colon, like so:


The .htaccess file contains information about which users can access which folders and files. The code block generated by Website Access Manager looks like this:

#### CC BEGIN WEBSITE ACCESS MANAGER #### AuthUserFile /full/path/to/.htpasswd AuthName “Members Only” AuthType Basic # Access Restriction: Require user username order deny,allow #### CC END WEBSITE ACCESS MANAGER ####

The first chunk of code provides a full path to the .htpasswd file on your server, specifies the text in the pop-up message box users see when they try to access the protected area (in this case, “Members Only”), and defines the type of protection being used (in this case, Basic, which is the most common).

The second chunk of code tells the browser that only the specified users are allowed to access the protected area. Any usernames that appear in the .htaccess file should also appear in the .htpasswd file. The commands in .htaccess files are read and executed in the order in which they appear. Website Access Manager automatically appends any access commands you create to the end of any preexisting .htaccess and .htpasswd files.

.htaccess files can be used for many other purposes besides password protection. Website Access Manager contains features that allow you to use your .htaccess files to block certain IP addresses and domain names. Each computer has a unique IP address associated with it, and each domain name can be traced back to an IP address. If you would like to ban certain IP addresses from accessing your site, you can add them to a list of restricted IP addresses using Website Access Manager. The code block generated by the program looks like this:

#### CC BEGIN WEBSITE ACCESS MANAGER #### Order allow, deny allow from all deny from IP Address deny from IP Range deny from Domain Name #### CC END WEBSITE ACCESS MANAGER ####

This code states that all everyone should be allowed to access the site unless explicitly denied, and then lists the IP addresses and domain names that are not allowed. Whenever a user from one of the specified IP addresses or domain names attempts to access your website, they will be redirected to an error page. It is extremely important that you enter IP addresses correctly. If you don’t, you run the risk of blocking everyone from your site.

Another feature of .htaccess files is the ability to redirect users who make bad requests — such as requesting a page that doesn’t exist — to another page. Typically, a user who makes a bad request will see an error page with a generic message, such as “404 Error: The page you requested could not be found.” If you would prefer that your users see a custom page or be automatically redirected to a different location, such as your homepage, you can adjust that using Website Access Manager. The code block generated by the program looks like this:

#### CC BEGIN WEBSITE ACCESS MANAGER #### ErrorDocument 400 ErrorDocument 403 ErrorDocument 404 #### CC END WEBSITE ACCESS MANAGER ####

This code specifies a bad request, or error document number, and the webpage the user should be redirected to if they make this request. This is only a small sample of the number of available errors.

Whenever a user attempts to access a page that either does not exist or that they are not authorized to view, they will be automatically redirected to the page you specify. We recommend using the Catchall option in Website Access Manager and redirecting your users to the same page regardless of which request they make.

The code generated by our software is surrounded by #### CC BEGIN WEBSITE ACCESS MANAGER #### and #### CC END WEBSITE ACCESS MANAGER ####. If for any reason you need to delete these .htaccess settings but can’t do it using this program, simply open your .htaccess file using an FTP client — such as Direct FTP or Free FTP — and delete this code block. You will need to repeat this process for every .htaccess file created in the program.

A server may also contain multiple .htaccess files in various directories and subdirectories. The effect of this is cumulative, with commands specified in subdirectories taking precedence over commands specified in higher directories. For example, say your server had this structure:

File Tree

Now say there’s an .htaccess file in administrator stating that user1, user2, and user3 have access to all its contents. However, templates contains an .htaccess file stating that user1, user3, and user4 have access to its contents. Even though the .htaccess file in administrator states that user2 has access to all its contents, the .htaccess file in templates overrides that command. This means that user2 cannot access templates, khepri, any of the files contained within khepri, and so on.

Please note that .htaccess doesn’t work with all servers. It is only compatible with Apache or Apache-compatible servers (including lighttpd and EhttpD), and will not work at all with Microsoft-hosted servers.

.htaccess Protection

By default, your website and all the folders and files it contains are not password protected. Once you use Website Access Manager to give a user access to a specific section of your site, that section becomes password protected. Only users to whom you have given permission will be able to access that section using the username and password you specified.

When your users reach the password protected page on your website, they’ll see a login box that looks like this:

Authentication Required Window

When logging in, your users may need to enter their password twice. This has to do with the way browsers store login information. Although there isn’t an option to log out, .htaccess will log your users out whenever they close your browser. For ways to work around this, see the Frequently Asked Questions section.

Please note that .htaccess files provide basic authentication suitable for most websites, but they are not 100% secure. If you want to accept credit card information, you should opt for a more secure service, such as PayPal, Google Wallet, or Authorize.Net, or shopping cart software such as CoffeeCup Shopping Cart Creator.

For more detailed information about how .htaccess files work, take a few minutes to read the CoffeeCup .htaccess Handbook. This comprehensive booklet answers all your questions about using .htaccess files in plain English.