How To: Protect Web Folders .htaccess

Browser Login Dialog

Have you ever wanted to password protect a website or a sub folder of a website? Many CMS systems allow this to be done but there is a pretty simple way to protect access to the site before any login procedure using an .htaccess file which some people may find useful.

I had to do this recently and thought it would be useful to some to share the details, as some of it can be quite tricky and various instructions you will find are ambiguous.

The end result we want is that whenever a user goes to a particular address he will be greeted with something like this from the browser:

Browser Login Dialog
Browser Login Dialog

Note that this is completely independent from any forum or CMS logins that may be required.

So here’s how it is done.

You will need access to your web space via FTP or similar.

Navigate to the folder you want to protect (if this is your entire site then it will be the main root folder that your website is stored in).

You may already have an .htaccess file in the root directory. Have a look and see. If not you can create one and edit it. The basic structure will be:

AuthType Basic
AuthName "EnterPassword"
require valid-user

will contain the path to a file containing your user name(s) and password(s)
require can be set to valid-user or to one of the names in the password file.

There are two ways of creating the password file itself:

(Not recommended) You can use a simple text file anywhere on your web site.

Preferably you can use a file called .htpasswd which can be stored outside the root directory of your site. You must know the path to the password file as it needs to be entered in the .htaccess file like this example:

Filename: .htaccess

[sourcecode]AuthUserFile /home/blahuser9/afolder/.htpasswd
AuthType Basic
AuthName "EnterPassword"
require valid-user[/sourcecode]

The password file should contain a username and password (or a list of user names and passwords).

The passwords must be encrypted!

The easiest way to do this is to go to a site that will do it for you. Here is a great example.

So if you go to the KXS site above and enter Username: myname Password: mypassword you will then end up with a string of text that looks like this: myname:0ifoldegAzttw

This line goes in the .htpasswd file:

Filename: .htpasswd


Once all that is done – Anyone entering that folder on your site will have to enter myname / mypassword in order to go further.

You can also add multiple user names and passwords in the file.

You can then change the line in .htaccess to:

require myname

If it doesn’t work it will most likely be because the path to your password file is incorrect.

Remember the password needs to be encrypted. So do not try simply typing a password in to the file without encrypting it first.

There are many, many more things you can with .htaccess but this is intended as a guide for anyone who wants to do this as simply and quickly as possible.

Good luck and any questions feel free to post a comment.