I have a family history website, call it "my_family.com". The primary file, index.php, has some introductory remarks of explanation and an html form into which one puts the website's password (there's a single password used by all family members). If one runs "my_family.com" and inserts the correct password and clicks on the "Submit" button, the php code in the file takes you to the first of several html files -- call it "first.html," which gives one links to further html files. All of these files contain family trees, copies of letters, photos, reminiscences, obituaries, etc., and none of them should be available to non-family-members.
The problem is that if an intruder happens to learn the filename "first.html" and puts "my_family.com/first.html" into his/her browser, the intruder is immediately taken to first.html, skipping the password process altogether. From there, the intruder has access to the entire website.
How can I prevent this from happening?
A technician from GoDaddy, my web host, showed me how to insert a password protector in an .htaccess file. With this change, the website's first action is, in a sterile dialog box, to request a username and password. But I don't want to employ a username at all and I want to use my custom form for the password.
Any help would be greatly appreciated.