How do I password-protect my website using .htaccess?

July 5, 2007 at 2:39 pm | Posted in .htaccess, .htpasswd, apache | 2 Comments

Htaccess can be used to password-protect directories on your web site. All files and any subdirectories within a directory protected by htaccess will also be protected. So, if you wish to protect your entire web site, simply setup htaccess in your public_html directory (the root of your web site). However, if you only wish to protect certain directories, you may do so separately.

1. Change to the directory that you wish to protect

In the following example we wish to protect a directory called private in our public_html directory.

torch: ~$ cd public_html/private
torch: ~/public_html/private$

You also need to know the fully qualified path of the directory you wish to protect. So, from this directory, type pwd and remember the fully qualified path (you will need it in step 4).

torch: ~/public_html/private$ pwd
torch: ~/public_html/private$

In the above example, the fully qualified path is /users/cs/johndoe/public_html/private.

The remaining steps in this guide assume we are still in this directory.

2. Create a file named .htaccess

Use your favourite editor to create a file called .htaccess (note the period at the beginning of the filename). In the below example we will use pico.

torch: ~/public_html/private$ pico .htaccess

3. Add the appropriate lines to the .htaccess file.

Using the editor you chose in step 2, input the following. You will need to modify the first 2 lines to match your configuration (see modifications below).

AuthUserFile /users/cs/johndoe/public_html/private/.htpasswd
AuthName "Title for Protected Site"
AuthType Basic
Require valid-user


  1. Beside AuthUserFile, put the fully qualified path you obtained in Step 1, with /.htpasswd immediately following it. The above example shows /users/cs/johndoe/public_html/private/.htpasswd
  2. Beside AuthName, input the words or phrase that you wish to appear as the title for the username/password input box.

4. Create the .htpasswd file by adding usersNext use the htpasswd command to create your password file and username/password pairs:

torch: ~/public_html/private$ htpasswd -c .htpasswd bob
New password:
Re-type new password:
Adding password for user bob
torch: ~/public_html/private$

This creates the .htpasswd file and the username bob. You will then be prompted for a password for bob, which will be stored in the .htpasswd file (note that it will be encrypted in this file for security).

So, to create new users and change the password for existing users, switch to the protected directory you wish to add a user for, and type htpasswd -c .htpasswd username

torch: ~$ cd public_html/private
torch: ~/public_html/private$ htpasswd -c .htpasswd username

5. Set the permissions on your .htaccess and .htpasswd file

Finally, from within your protected directory, make both the .htaccess and .htpasswd files world-readable. You can do this with the command chmod a+r .htaccess .htpasswd.

torch: ~/public_html/private$ ls -al
total 10
drwxr-xr-x   2 johndoe    csugrad      512 Jan  7 14:30 .
drwxr-xr-x   8 johndoe    csugrad      512 Jan  7 11:50 ..
-rw-------   1 johndoe    csugrad      156 Jan  7 12:05 .htaccess
-rw-------   1 johndoe    csugrad       18 Jan  7 11:59 .htpasswd
torch: ~/public_html/private$ chmod a+r .htaccess .htpasswd
torch: ~/public_html/private$ ls -al
drwxr-xr-x   2 johndoe    csugrad      512 Jan  7 14:30 .
drwxr-xr-x   8 johndoe    csugrad      512 Jan  7 11:50 ..
-rw-r--r--   1 johndoe    csugrad      156 Jan  7 12:05 .htaccess
-rw-r--r--   1 johndoe    csugrad       18 Jan  7 11:59 .htpasswd
torch: ~/public_html/private$

Above we can see that the permissions on .htaccess and .htpasswd change from -rw——- to -rw-r–r–.

All done!

Now, anytime you attempt to view your protected directory, any file within it, or recursively any subdirectory of it, you will be prompted for a username and password. Please refer back to Step 4 if you wish to add more users or change a user’s password.

Troubleshooting / Common Problems

Below are the most common problems experienced by users attempting to setup htaccess.

  1. Permissions on both .htaccess and .htpasswd – Both the .htaccess and .htpasswd files need to be world readable. Please refer to Step 5 to ensure this has been done properly.
  2. Fully qualified path to .htpasswd incorrect – The correct fully qualified path to a valid .htpasswd file must appear beside AuthUserFile in the .htaccess file. Please refer to Step 3 and verify this is correct.
  3. The username doesn’t exist in .htpasswd – When attempting to login as a user, they need to have been correctly added to the .htpasswd file using the htpasswd command. Please refer to Step 4 to double-check.

How do I remove htaccess protection?

To remove htaccess protection, simply delete or rename the .htaccess file in the directory you wish to remove protection from. The below example shows how to rename .htaccess to .htaccess-old.

torch: ~/public_html/private$ mv .htaccess .htaccess-old

Security Concerns

Should I be using .htaccess to protect highly sensitive data?

If you decide to protect something using .htaccess, be sure to understand one thing: the protection of your data relies upon the web server configuration. This means if the configuration changes, it might be possible for someone to retreive your data. As a general rule, it’s bad practice to place anything highly confidential or critical on a web server, period. There are numerous other options for storing and accessing sensitive data. Always remember, the web was originally designed for public access, and so access control is really an addition.

Username/Password Transmission

If the page you are protecting is http and not secure http, then your username and password will be sent across the network in plain text. A secure http address is always prefixed with https:// instead of http://. If you are accessing any site through http://, you should be aware that it is possible for someone to capture your traffic and extract your password. A good guideline to follow is ensuring that all htaccess passwords do not correspond with any other passwords. Do not forget that you are solely responsible for keeping your password private.


If you’re looking to implement this on your own web server, then you should bypass htaccess altogether and simply enter the commands into the httpd.conf (apache configuration) file and specify which directories to which this should apply. The commands that are valid within htaccess are also valid in your apache configuration file. Putting it in the apache configuration helps to speed things up and simplifies web server management.



RSS feed for comments on this post. TrackBack URI

  1. thnak you for information
    I hope to see my site also supports this service
    submit your web sites and get more traffic, Get a free listing at link Directory

  2. Shop Online Nobody

    How do I password-protect my website using .htaccess? | element14

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at
Entries and comments feeds.

%d bloggers like this: