.htaccess password protection is integrated directly into Apache. If Apache fails, then the web server simply won’t serve, so you’re not at risk of exposing your script. Here’s what you need to do.
Choose a username and password. You’ll be including this in your .htpasswds file. However, you’ll need to encrypt your password before inserting it into your .htpasswds file. The format will be:
You can use this tool to create encrypted passwords: http://www.tools.dynamicdrive.com/password/
Open up Notepad.exe or another plain text editor. Copy and paste the usernames and encrypted passwords into a blank document. You can include as many as you want. It should look like this:
But remember, the passwords must be encrypted.
Save the file as “.htpasswds” –just like that, with the dot in front of it and no extension. Do not append .txt or .html to it.
Create a new blank text document and paste the following code into it:
require user username
In the first line, replace “/home/username/.htpasswds” with the location where you’ll be uploading your .htpasswdws file. Tip: Place .htpasswds outside of your public_html folder so web browsers can’t see it. By placing it somewhere other than your public_html, you ensure that no one but those with FTP/SSH access can see it. This adds another layer of security.
In the last line, replace “username” with one of the usernames in your .htpasswds file. Alternately, you can change “username” to “valid-user” to allow any of the logins in your .htpasswds file access.
Upload .htaccess to the directory you’d like to protect. Upload .htpasswds to the location you specified in .htaccess. Your website will now be password protected!
Note that if you place your password protected .htaccess file in the root of your web server directory, it affects all subdomains and pages as well. If you want to include a public area of your website, you should avoid placing .htaccess in your root domain. Instead, only place it where you want to restrict access. For example, you might want to place it in a yourdomain.com/admin/ subfolder in order to sequester your public area from your administration panel.