Password Protection Using .htaccess

June 26th, 2011 by Tony de Jesus

Folder with a padlockThere are several ways to protecting files and folders on your website from unauthorized users. For example, you can use PHP (or another server side programming language) to ask for login and password information on each page. Apache Web Server also allows you password protect individual files, folders, or your entire site in an easy and realiable way. In this article, I will show you how to protect your files using .htaccess.

When to protect a file/folder?

There are many situations that will lead you to protect specific parts or sections of your website, for example:

  • You’re building a new website, but you only want yourself (and maybe your client) to be able to view the work-in-progress.
  • Your website has some paid content that only subscribers should be able to access.
  • Your website contains an area that you never want the general public to have access to – for example, your web stats or private pages.

In order to protect a file/folder by using this method, you will need two files: .htaccess and .htpasswd. Now let’s see how it works.

.htaccess File

AuthType Basic

AuthName "The Protected Area"

AuthUserFile /path/to/.htpasswd

Require valid-user

The AuthUserFile directive tells the web server where the .htpasswd file, that contains the list of all valid users, is located.

.htpasswd File



The .htpasswd file contains the usernames and passwords of the users, one per line. The passwords are “encrypted” using MD5 for security reasons.

, ,


One Comment

  1. Bruno Azevedo

    Very usefully post.



Leave a Reply