Protect a Directory Using .htaccess

  1. Create a .htaccess file

    Use an ASCII text editor like Notepad to create a text file with the following contents:

    AuthName "Secure Area"
    AuthType Basic
    AuthUserFile /path/to/your/directory/.htpasswd
    require valid-user

    Note that you will have to modify the above according to your situation. In particular, change:

    1. AuthName

      Change “Secure Area” to any name that you like. This name will be displayed when the browser prompts for a password. If, for example, that area is to be accessible only to members of your site, you can name it “Members Only” or the like.

    2. AuthUserFile

      You will later create a file containing passwords named .htpasswd. The “AuthUserFile” line tells the Apache web server where it can locate this password file.

      Ideally, the password file should be placed outside any directory accessible by visitors to your website. For example, if the main page of your web site is physically located in “/home/your-account-name/public-html/”, place your .htpasswd file in (say) /home/your-account-name/.htpasswd. That way, on the off-chance that your host misconfigures your server, your visitors cannot view the .htpasswd contents by simply typing

      Wherever you decide to place the file, put the full path of that file after “AuthUserFile”. For example, if the directory where you placed the file is /home/your-account-name/.htpasswd, modify that name to “AuthUserFile /home/your-account-name/.htpasswd”. Note that your password file need not be named .htpasswd either. It can be any name you wish. For ease of reference, however, this tutorial will assume that you chose “.htpasswd”.

    3. AuthType and require

      You do not have to modify these. Just copy the lines as they are given above.

  2. Save and Upload the .htaccess file

    Save the .htaccess. If you are using Notepad, be sure to save the file as “.htaccess”, including the quotes, otherwise Notepad will change the name to “.htaccess.txt” behind your back. Then upload the .htaccess file to the directory that you want to protect.

  3. Set Up the Password File, .htpasswd

    Use your telnet or SSH software and log into your shell account.

    Be sure that you are in your home directory, not somewhere else. Note that your web directory is probably not your home directory on most commercial web hosts. On servers that use a Unix-type system (like Linux, FreeBSD and OpenBSD), you can usually go to your home directory by simply typing “cd” (without the quotes) followed by the ENTER key (or RETURN key on a Mac). This, by default, will switch you to your home directory. (Note for Windows users – this is different from the Windows/DOS shell, where “cd” only displays the current working directory.)

    Then, type the following command:

    htpasswd -c .htpasswd your-user-name

    where your-user-name is the login name of the user you want to give access. The user name should be a single word without any intervening spaces. You will then be prompted to enter the password for that user. When this is done, the htpasswd utility creates a file called .htpasswd in your current directory (home directory). You can move the file to its final location later, according to where you set the AuthUserFile location in .htaccess.

    If you have more than one users, you should create passwords for them as well, but using the following command for each subsequent user:

    htpasswd .htpasswd another-user-name

    Notice that this time, we did not use the “-c” option. When the “-c” option is not present, htpasswd will look for an existing file by the name given (.htpasswd in our case), and append the new user’s password to that file. If you use “-c” for your second user, you will wipe out the first user’s entry since htpasswd takes “-c” to mean create a new file, overwriting the existing file if present.

    If you are curious about the contents of the file, you can take a look using the following command:

    cat .htpasswd

    Since the .htpasswd file is a plain text file, with a series of user name and encrypted password pairs, you might see something like the following:


    This file has two users “sally” and “mary”. The passwords you see will not be the same as the one you typed, since they are encrypted.

    Before you quit, you should make sure that permissions on the file are acceptable. To check the permissions, simply type the following on the shell command line:

    ls -al .htpasswd

    If you see the file with a listing like:

    -rw-rw-rw- (...etc...) .htpasswd

    it means that the .htpasswd can be read and written by everyone who has an account on the same server as you. The first “rw” means that the owner of the file (you) can read it and write to it. The next “rw” means everyone in the same group as you can read and write the file. The third “rw” means that everyone with an account on that machine can read and write the file.

    You don’t want anyone else to be able to write to the file except you, since they can then add themselves as a user with a password of their own choosing or other nefarious stuff. To remove the write permission from everyone except you, do this from the shell command line:

    chmod 644 .htpasswd

    This allows the file to be read and written by you, and only read by others. Depending on how your server is set up, it is probably too risky to change the permissions to prevent others from your group or the world from reading it, since if you do so, the Apache web server will probably not be able to read it either. In any case, the passwords are encrypted, so a cursory glance at the file will hopefully not give away the passwords.

    If you have set a different directory for your password file in your .htaccess earlier, you will need to move it there. You can do this from the shell command line as follows:

    mv .htpasswd final/location/of/the/file

    Remember that your file does not even have to be called .htpasswd. You can name it anything you like. However, if you do, make sure that your AuthUserFile has the same directory and filename or Apache will not be able to locate it.

Testing Your Setup

Once you have completed the above, you should test your set up using your browser to make sure that everything works as intended. Upload a simple index.html file into your protected directory and use your web browser to view it. You should be greeted with a prompt for your user name and password. If you have set everything up correctly, when you enter that information, you should be able to view the index.html file, and indeed any other file in that directory.

A Word of Caution

You should note a few things though, before you go berserk password protecting directories and harbouring the illusion that they can safeguard your data:

  1. The password protection only guards access through the web. You can still freely access your directories from your shell account. So can others on that server, depending on how the permissions are set up in the directories.
  2. It protects directories and not files. Once a user is authenticated for that folder, he/she can view any file in that directory and its descendants.
  3. Passwords and user names are transmitted in the clear by the browser, and so are vulnerable to being intercepted by others.
  4. You should not use this password protection facility for anything serious, like guarding your customer’s data, credit card information or any other valuable information. It is basically only good for things like keeping out search engine bots and casual visitors. Remember, your data isn’t even encrypted in the directory with this method.



I am a g33k, Linux blogger, developer, student and Tech Writer for My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.