This technique password protects your Movable Type weblog content with your Movable Type credentials.


  1. Download the PHP file
  2. Change the file name extension from ‘.txt’ to ‘.php’ (necessary so it can be downloaded and not executed)
  3. Edit the file to insert your DB user name, DB password and DB database name in place of the generic tags.
  4. Upload the file to your MT CGI directory.
  5. Change the default extension of your archive files to PHP
  6. Modify the templates
    1. For index templates, change the extension to PHP for ones you want to protect
    2. Add the PHP require line to the top of each template
  7. If you already have content that should be protected, remove those files
  8. Rebuild your site

The single line to add to your templates should look like this:

<?php require('WikiVar "MTCGIServerPath" not defined>/author-access.php'); ?>

If you followed these instructions, you should be able to just cut and paste that in.

At this point access to any protected content will require a user name and password. Use your Movable Type author name and password. Note that author permissions aren’t checked — any author is accepted. It wouldn’t be too much effort to add a check to verify that the author is associated with the weblog (the weblog ID would be passed by the require line above using an MT tag).

Implementation Notes

I had a long struggle with having to authorize twice when clicking around the website. The final result was that ‘www.domain.com’ is distinct from a cookie point of view from ‘domain.com’. It also turns out that one the website where I was testing this, if you type in ‘domain.com/directory’ it gets converted to ‘www.domain.com/directory/index.php’. So the first authorization is for the ‘www’ subdomain and when a link is clicked an authorization for the top level domain is required. Interestingly, if the original request has a trailing slash, then the ‘www’ is not added. This behavior occurs in both IE and Firefox. Opera rewrites the URL in the same way but apparently treats the ‘www’ subdomain and the top level domain as equivalent. See here for critical details omitted in my hard copy manual.


DrH wanted to a Movable Type weblog on which she could post non-public things. The obvious solution was to password protect her weblog pages. My initial effort involved a .htaccess file and local user/password files but that was annoying because it was yet one more set of credentials to remember and keep in synch. I found this article on how to use PHP to perform the password check. It wasn’t quite what I wanted but it was close.

I cleaned up the code a bit and added cookie support so that access would persist over browser restarts. I wanted to use the Movable Type cookie itself but that’s not possible with modifying the Movable Type codebase.