The easiest way to password-protect a site is to use HTTP Authentication, where if a browser’s request for a protected page is not accompanied by the correct username and password, the Web server replies with an HTTP 401 error – which means “Unauthorized Access” – and an invitation for the browser to re-submit the request with a proper username and password. From the user’s point of view, most of this dialogue is hidden. Following that first failed request, the browser prompts the user (in a dialog box) for a username and password, and then re-submits the request, this time with the authentication information attached. Assuming the username/password combo is on the list of allowed users, the Web server then sends the page requested. The Web browser will likewise continue to send that username/password with all subsequent requests.

Look at the following code:

 
 
 
Authorization Failed
 
Without a valid username and password,
    access to this page cannot be granted.
    Please click 'reload' and enter a
    username and password when prompted.
 
 
 ";

if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$site_user || $_SERVER['PHP_AUTH_PW']!==$site_pass)
   {
       header("WWW-Authenticate: Basic realm=\"Protected Page: Enter your username and password for access.\"");
       header("HTTP/1.0 401 Unauthorized");
       exit($failure_msg);
   }

?>

For each page, you want to authenticate user, each page must have the above code. You can save this code to a script (for example auth.php) and include auth.php to any page, hence save yourself from rewriting the code for each page.