• We did not send an email asking for donations - please read this post.

.htaccess password protection: Securing a folder in a website



If you have any sort of sensitive documentation or private web application that you want to secure behind a username and password field, then .htaccess is a simple and easy way to start. .htaccess is a server side challenge/response security mechanism that is built directly into the web server. It is therefore, more secure than a scripted approach to security that is embedded into any application.

To use .htaccess, you will need to have access to a web accessible directory. In that directory, you will need to place the following file.

Making a .htaccess file
The .htaccess file should be placed inside of the directory that you want to secure. The file should contain the following code.

AuthUserFile /home/username/secrets/.htpasswd
AuthGroupFile /dev/null
AuthName "You Shall Not Pass!!"
AuthType Basic

require user username

The first line "AuthUserFile" is the full server path to your htpasswd file. You will need to edit this line so that it references the correct location of the .htpasswd file. Please note that this is not a URL, this is a server path, and in a Linux file system, will start with a /. You should also not put your .htpasswd file in a web accessible directory!!

Edit the line that starts with "require user" so that you enter the username of those who you want to give access to.

This applies if you had an htpasswd file that had multiple users setup in it and you wanted each one to have access to an individual directory. If you wanted the entire list of users to have access to that directory, you would replace Require user xxx with require valid-user.

The AuthName is the name of the area you want to access. It could say anything, such as "You Shall Not Pass!!". Feel free to change this to whatever you want.

We are using AuthType Basic because we are using basic HTTP authentication.

Generating a password file

There are a bunch of different ways to generate a .htaccess files. However, as this is a Linux Forum, we will show the CLI way of doing it. If you don't have command line access, just google "generate .htpasswd file" and you will be set.

USAGE: Command -c PATH UserName
htpasswd -c /home/username/secrets/.htpasswd Obama



I've used .htaccess before, quite a handy feature in my opinion, I could never make use of it once before since I had a Dynamic IP, have a static now so I can.


Why not in a Static IP

means why didnt you use .htaccess in a static IP?


Wow thanks for sharing such a great article, i am looking seriously for .htacess password from many weeks and find this one very useful
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Members online