Password Protect a Directory Using .htaccess

Protecting files on your website from unauthorized users can be very important. Even more important is the method by which you accomplish this task. You could use PHP to listen for login authorization information on each page, but that doesn't protect your images, documents, and other media, does it? That's why I've found the .htaccess method of protecting files and directories the most reliable. Oh, and it's easy too!

The system requires two files -- the .htaccess file and .htpasswd file.

The .htaccess Code

AuthType Basic
AuthName "restricted area"
AuthUserFile /home/davidwalsh/html/protect-me-dir/.htpasswd
require valid-user

The above code protects a directory called "protect-me-dir" at root level. The "AuthUserFile" value is always specific to your hosting configuration. If you don't know what the value should be, do a phpinfo() and find the DOCUMENT_ROOT value.

The .htpasswd Code

davidwalsh:daWHfZrDLB88.
rodstewart:roFulYxC2.8ws
cssexpert:csmnmq.M8T5ho

The .htpasswd file contains the usernames and passwords of allowed users. One per line. The passwords are MD5'd for security purposes.

To generate encrypted passwords for your .htpasswd file, you can use my .htaccess password generator.


Comments

  1. Mark

    I am going to go out on a limb here and say that you are a rod stewart fan. :)

    Btw, you can store sensitive documents in a folder that isn’t browsable by Apache and have php authenticate it before the user can download. I wrote an artile about that on my blog.

  2. david

    @Mark: Share the link!

  3. JP

    From the Apache documentation:

    Security

    Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.

    In your example, I would suggest moving .htpasswd to something like ‘/home/davidwalsh/protect-me-dir.htpasswd’.

  4. Mark

    Well I didn’t want to be the guy that posts his links every where :) so I just mentioned it, but since it is relevent here you go.

    http://www.marksanborn.net/php/download-files-through-authentication/

  5. david

    @JP: Good tip!

  6. Paul

    Hello, I am very new at this and honestly need to know exactly how to do this. Do you know a step by step process. I do not want to upload into my website until I have tested it on my local machine
    Scenario, I have an HTML file that I open within a folder, however I want to simply require a password before can view it. Nothing really critical, just want to keep the masses out.

    If I put the .htaccess file in that directly, and the .htpasswd in the same directory, how will that keep me from accessing the html file. when that is what I need to click on to test. am I missing something here? Does the index.html on the server automatically look for this password file?

    Anything would be great. or maybe you could direct me to a fully laid out example

    Thank you for your time
    Paul

  7. Simon

    Hi David,
    Really like this nifty little feature – but unfortunately everything seems to work fine except that the password is not accepted. I have tried several alternatives – all with the same result. Any tips on what I need to check will be much appreciated!
    Cheers
    Simon

  8. Levana

    Hi,

    I did this and I think my path was incorrect. However, when I try to do the PHP info, it is requiring a password–which I can’t do because my path is wrong. How do I remove the .htaccess and .htpassword from my site to fix them? They are not showing up as files in the directory.

    Thanks,
    Levana

  9. Levana

    I figured it out–just in case anyone reads this: you have to set your FTP client to “show hidden files.”

  10. mark antony

    How do I able to protect and organize the files in directory?

  11. eljane

    how do I able to protect and organize the filies in directory?

  12. Jeff Reese

    I have used your your info above and it works well. Thank you. How do I prevent the password from being cached or held in cookies? When I log into the web browser it has the info and logs right in.
    Thank you, Jeff

  13. Eric

    @Simon: I have the same issue.

  14. Zachary

    can this crash the apache server? or depending on the server settings a failed access (3+tries) denies you acces to the ENTIRE server??. using this on a server that i get acess to host webpages. but don’t know the intricate security settings of the server? it connects slowly when it works, and if the wrong password denies me for x period of time. from any site that the server hosts. not just my section!! any able to explain this?

  15. Rupert Davenport

    I take it that this only protects a directory and not a specific folder?

  16. Ronak R.

    Awesome blog! :) I was just looking around for some tips of password protection.. and this is neat! I didn’t realize I was already using it by cPanel! :P

    Anyways, love the effects you’ve done on your logo.. and the social links that can be dragged anywhere!! One question: HOW did you do that!!!!!!!!!! :O :D

  17. Ian

    This is great, is it possible to specify which html file opens depending on which username is used to log in?

  18. paul

    can we also make an easy ‘ logout’ button???
    thx!

  19. Joe W

    I am trying to password protect a subdirectory on an FTP that is already inside of a password protected directory, but the folder becomes hidden as soon as I add in the .htaccess and .htpasswd files. Is there a line of code I can add to the .htaccess file to keep the subdirect visible?

    Thanks in advance.

  20. Bryan

    I’m using this code in one of my directories but once I enter the URL and get the pop-up box and enter my UN/ PW it gets stuck in a continuous loop asking me to enter un/pw again and again. Help! Thanks!

  21. proxybox

    Bryan,
    I had the same problem. You can’t just use the password that you want to use into .htpasswd. You have to use the ‘htaccess password generator’ link that David has provided first. In that link you’ll enter your proposed username and password and it will spit out a MD5 user and password that you will enter into your .htpasswd file. Upload that to the folder you want to protect and it should work. Good luck!

  22. proxybox

    Jeff Reese,

    In order to have the username/password dialog box reappear, you need to close all your browser windows down and restart a new browser session after which the login window will appear again. Even if you clear you cookies, etc. the dialog box will not reopen.

  23. Will

    Proxybox, thank you. I made the same mistake as Bryan.

  24. Elijah Clark

    still trying to get this to work. for some reason night working in my sub directory

  25. Elijah Clark

    how do i allow access to certain directories. (how do i turn off the rewrite function)


Be Heard!

Share your thoughts without being a jerk! And wrap your code in <code> tags, f00!

Name*:
Email*:
Website: