Password Protect a Directory Using .htaccess
Protecting files on your website from unauthorized users can be very important. Even more important is the method by which you accomplish this task. You could use PHP to listen for login authorization information on each page, but that doesn't protect your images, documents, and other media, does it? That's why I've found the .htaccess method of protecting files and directories the most reliable. Oh, and it's easy too!
The system requires two files -- the .htaccess file and .htpasswd file.
The .htaccess Code
AuthType Basic AuthName "restricted area" AuthUserFile /home/davidwalsh/html/protect-me-dir/.htpasswd require valid-user
The above code protects a directory called "protect-me-dir" at root level. The "AuthUserFile" value is always specific to your hosting configuration. If you don't know what the value should be, do a phpinfo() and find the DOCUMENT_ROOT value.
The .htpasswd Code
davidwalsh:daWHfZrDLB88. rodstewart:roFulYxC2.8ws cssexpert:csmnmq.M8T5ho
The .htpasswd file contains the usernames and passwords of allowed users. One per line. The passwords are MD5'd for security purposes.
To generate encrypted passwords for your .htpasswd file, you can use my .htaccess password generator.
Discussion
Be Heard!
Share your thoughts with fellow developers of all skill levels! I want to hear from you!
I am going to go out on a limb here and say that you are a rod stewart fan. :)
Btw, you can store sensitive documents in a folder that isn’t browsable by Apache and have php authenticate it before the user can download. I wrote an artile about that on my blog.
@Mark: Share the link!
From the Apache documentation:
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
In your example, I would suggest moving .htpasswd to something like ‘/home/davidwalsh/protect-me-dir.htpasswd’.
Well I didn’t want to be the guy that posts his links every where :) so I just mentioned it, but since it is relevent here you go.
http://www.marksanborn.net/php/download-files-through-authentication/
@JP: Good tip!
How do I set the password to access a specific website?
Hello, I am very new at this and honestly need to know exactly how to do this. Do you know a step by step process. I do not want to upload into my website until I have tested it on my local machine
Scenario, I have an HTML file that I open within a folder, however I want to simply require a password before can view it. Nothing really critical, just want to keep the masses out.
If I put the .htaccess file in that directly, and the .htpasswd in the same directory, how will that keep me from accessing the html file. when that is what I need to click on to test. am I missing something here? Does the index.html on the server automatically look for this password file?
Anything would be great. or maybe you could direct me to a fully laid out example
Thank you for your time
Paul
Hi David,
Really like this nifty little feature – but unfortunately everything seems to work fine except that the password is not accepted. I have tried several alternatives – all with the same result. Any tips on what I need to check will be much appreciated!
Cheers
Simon
Hi,
I did this and I think my path was incorrect. However, when I try to do the PHP info, it is requiring a password–which I can’t do because my path is wrong. How do I remove the .htaccess and .htpassword from my site to fix them? They are not showing up as files in the directory.
Thanks,
Levana
I figured it out–just in case anyone reads this: you have to set your FTP client to “show hidden files.”
Hello,
Thanks for this great tip.
However, I’m encountering a rather strange problem. I have uploaded the files as directed and ensured the path to my .htpasswd file is correct by obtaining it the DOCUMENT_ROOT line of the phpinfo() output.
The problem is that I’m able to enter an incorrect password and my browser will still advance me to my site.
Any suggestions on what’s going on here?
Thanks very much.
Hello,
I’d like to password protect my site, but am running into a strange problem. Incorrect passwords will still let me advance to my site. Can you help solve this problem?
Thank you very much.
How do I able to protect and organize the files in directory?
how do I able to protect and organize the filies in directory?
I have used your your info above and it works well. Thank you. How do I prevent the password from being cached or held in cookies? When I log into the web browser it has the info and logs right in.
Thank you, Jeff
@Simon: I have the same issue.
can this crash the apache server? or depending on the server settings a failed access (3+tries) denies you acces to the ENTIRE server??. using this on a server that i get acess to host webpages. but don’t know the intricate security settings of the server? it connects slowly when it works, and if the wrong password denies me for x period of time. from any site that the server hosts. not just my section!! any able to explain this?
Hi,
I am a new to this and am confused. I am trying to figure out how come I can’t get the username/pasword to work.
I created the two files .htaccess and put it in the main directory of the site where the index file is, then i created the .htpasswd file and put it in the schedules dir off the main directory so the address is http://www.trytobosa.org/schedules/default.html (it is all bogus right now while I am creating it) I put a bogus UN/PW idunno/idunno well I used your.htpasswd Username & Password Generator and came up with the .htpasswd file as idunno:ideLMDeqo7cnE but it wont work.. can you please help me? Am I doing something wrong? it thinks I have the wrong UN/PW
I just tried it again in firefox, google chrome and ie and none of them work. I guess I will have to wait for a hero to come to my rescue!
Ok, sorry for posting again but I had to change the directory where the .htaccess is because it just blocked me out of the complete tobosa website. If I put the .htaccess file in the root directory it will block me out of the root directory where the index file is. So I put changed the directory to http://www.trytobosa.org/schedules/home/protect/default.html and put the .htacces in the /home and the .htpasswd file in the /protect along with the default.html file where I have the bogus schedule page. Man, this is hard. Sorry I am such a bug! I just had to change the site before someone tried to view the website and was blocked out… eeeeek!