A technique I’ve used in the past is just turn off directory listing and shove protected content behind a directory named using the hash of the password. Then after hashing the password provided by the user, the directory either exists or it doesn’t.

Edit: I wouldn’t recommend this for anything serious, but for some blog posts of my wife’s that we wanted to be relatively private, it was good enough.