Controlling access by hostname or IP is great when you want to ensure that only a network or machine you recognize is accessing your site or to block that pesky web spider that rudely ignores your robots.txt file. It is, however, used less often than user-based authentication.

To start the process, we’re first going to create the user database. This database will contain all the usernames and passwords that will be authenticated against; they’re not keyed to any specific directory, so you could use one database for 300 users spread across two dozen directories. To create the database, get into your Terminal and gaze blurry-eyed at the following command:

% htpasswd -c /Library/WebServer/.htpasswd morbus

It’s nice and innocent, right? htpasswd is the name of the utility that creates and modifies the user database. The -c flag says if this database doesn’t exist, create it. /Library/WebServer/.htpasswd is the full path to our database file, and you’ll want to take special notice that it’s outside Apache’s document root (which, in OS X, is defined as /Library/WebServer/Documents). Sticking the file outside the document root ensures that no one can view this database from the Web. Finally, morbus is the user that you want to add to the database. Here’s sample output from this command:

% htpasswd -c /Library/WebServer/.htpasswd morbus
New password: ********
Re-type new password: ********
Adding password for user morbus

You’ll want ...