We are committed to providing fast, efficient, and affordable software solutions that set new standards in the software development industry.
  • Protecting Your Apache Site with .htaccess
Technology Articles > Software > Security & Privacy > Protecting Your Apache Site with .htaccess

If you host your website on an Apache server, you can password protect any directory by using an .htaccess file. By setting up password protection in your .htaccess file, you can restrict access to any area on your web server by requiring users to enter a username and a password. Although there is some debate, an .htaccess password protection is generally considered to be more secure than creating a PHP login script, and definitely safer than a Javascript password module. This is because server-side and browser-side scripting is vulnerable to malfunctions in the web server, where the server may accidentally process the page contents as plain text. Or, in the case of Javascript functions, the user can simply disable Javascript to bypass the password protection.

.htaccess password protection is integrated directly into Apache. If Apache fails, then the web server simply won’t serve, so you’re not at risk of exposing your script. Here’s what you need to do.

Step 1

Choose a username and password. You’ll be including this in your .htpasswds file. However, you’ll need to encrypt your password before inserting it into your .htpasswds file. The format will be:

You can use this tool to create encrypted passwords: http://www.tools.dynamicdrive.com/password/

Step 2

Open up Notepad.exe or another plain text editor. Copy and paste the usernames and encrypted passwords into a blank document. You can include as many as you want. It should look like this:


But remember, the passwords must be encrypted.

Step 3

Save the file as “.htpasswds” –just like that, with the dot in front of it and no extension. Do not append .txt or .html to it.

Step 4

Create a new blank text document and paste the following code into it:

AuthUserFile /home/username/.htpasswds
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic

require user username

In the first line, replace “/home/username/.htpasswds” with the location where you’ll be uploading your .htpasswdws file. Tip: Place .htpasswds outside of your public_html folder so web browsers can’t see it. By placing it somewhere other than your public_html, you ensure that no one but those with FTP/SSH access can see it. This adds another layer of security.
In the last line, replace “username” with one of the usernames in your .htpasswds file. Alternately, you can change “username” to “valid-user” to allow any of the logins in your .htpasswds file access.

Step 5

Upload .htaccess to the directory you’d like to protect. Upload .htpasswds to the location you specified in .htaccess. Your website will now be password protected!

Note that if you place your password protected .htaccess file in the root of your web server directory, it affects all subdomains and pages as well. If you want to include a public area of your website, you should avoid placing .htaccess in your root domain. Instead, only place it where you want to restrict access. For example, you might want to place it in a yourdomain.com/admin/ subfolder in order to sequester your public area from your administration panel.