Home HTACCESS Password Protection using htaccess

Password Protection using htaccess


Although there are many uses of the .htaccess file, by far the most popular, and probably most useful, is being able to reliably password protect directories on websites. Although JavaScript etc. can also be used to do this, only .htaccess has total security (as someone must know the password to get into the directory, there are no ‘back doors’)

The .htaccess File

Adding password protection to a directory using .htaccess takes two stages. The first part is to add the appropriate lines to your .htaccess file in the directory you would like to protect. Everything below this directory will be password protected:

  AuthName "Section Name"
  AuthType Basic
  AuthUserFile /full/path/to/.htpasswd
  Require valid-user

There are a few parts of this which you will need to change for your site. You should replace “Section Name” with the name of the part of the site you are protecting e.g. “Members Area”.

The /full/parth/to/.htpasswd should be changed to reflect the full server path to the .htpasswd file (more on this later). If you do not know what the full path to your webspace is, check your Bluehost cPanel. Look on the left “stats” column of the cPanel.

The .htpasswd File

Password protecting a directory takes a little more work than any of the other .htaccess functions because you must also create a file to contain the usernames and passwords which are allowed to access the site. These should be placed in a file which (by default) should be called .htpasswd. Like the .htaccess file, this is a file with no name and an 8 letter extension. This can be placed anywhere within you website (as the passwords are encrypted) but it is advisable to store it outside the web root (in your home directory) so that it is impossible to access it from the web.

Entering Usernames And Passwords

Once you have created your .htpasswd file (you can do this in a standard text editor) you must enter the usernames and passwords to access the site. They should be entered as follows:


where the password is the encrypted format of the password. To encrypt the password you will either need to use one of the pre-made scripts available on the web or write your own. There is a good username/password service at the KxS site (http://www.kxs.net/support/htaccess_pw.html) which will allow you to enter the user name and password and will output it in the correct format.

For multiple users, just add extra lines to your .htpasswd file in the same format as the first. There are even scripts available for free which will manage the .htpasswd file and will allow automatic adding/removing of users etc.

Accessing The Site

When you try to access a site which has been protected by .htaccess your browser will pop up a standard username/password dialog box. If you don’t like this, there are certain scripts available which allow you to embed a username/password box in a website to do the authentication. You can also send the username and password (unencrypted) in the URL as follows:

http://username:[email protected]/colleges/

Note: .htaccess is one of the most useful files a webmaster can use. There are a wide variety of different uses for it which can save time and increase security on your website.

If you wanted to password protect a specific page only, you can try this as your htaccess coding :

<files “filename.cgi”>
AuthUserFile /home/pathto/.htpasswd
AuthType Basic
AuthName “Secret Place”
require valid-user

You can protect the actual .htaccess file from being viewed by visitors by using this code :

<files “.htaccess”>
order allow,deny
deny from all

Some Examples :

Password for a directory:

AuthName "Private zone"
AuthType Basic
AuthUserFile /pub/home/your_login/.htpasswd
require valid-user

AuthName will be displayed for the user and can be used to explain authentication request. The value of AuthUserFile defines the location where the file with passwords for accessing this directory is stored. This file is created by a special tool named htpasswd.exe or more convenient and flexible program Htpasswd Generator.

For example, we create the following .htaccess file in the protected directory:

AuthName "For Registered Users Only"
AuthType Basic
AuthUserFile /pub/site.com/.htpasswd
require valid-user

In this example, the user requesting this directory will read the message “For Registered Users Only”, the file with passwords for access must be stored in the directory /pub/site.com/ and it must be named .htpasswd . The directory is specified from the server root. If you specify the directory incorrectly, Apache will not be able to read the .htpasswd file and nobody will get access to this directory.

Password for one file only:

Similar to protecting a whole directory with a password, you can set a password for one file only. An example of setting a password to the file private.zip:

<Files private.zip>
AuthName "Users zone"
AuthType Basic
AuthUserFile /pub/home/your_login/.htpasswd

Password for a group of files:

Similarly, you can use <Files ~ "\.(inc|sql|...other_extensions...)$"> to set password for files by mask. An example of setting a password for accessing all files with the “sql” extension:

<Files ~ "\.(sql)$">
AuthName "Users zone"
AuthType Basic
AuthUserFile /pub/home/your_login/.htpasswd

You may also like

Leave a Comment