Password Protect a Directory Using .htaccess

Written by David Walsh on April 18, 2008 · 52 Comments

Protecting files on your website from unauthorized users can be very important. Even more important is the method by which you accomplish this task. You could use PHP to listen for login authorization information on each page, but that doesn't protect your images, documents, and other media, does it? That's why I've found the .htaccess method of protecting files and directories the most reliable. Oh, and it's easy too!

The system requires two files -- the .htaccess file and .htpasswd file.

The .htaccess Code

AuthType Basic
AuthName "restricted area"
AuthUserFile /home/davidwalsh/html/protect-me-dir/.htpasswd
require valid-user

The above code protects a directory called "protect-me-dir" at root level. The "AuthUserFile" value is always specific to your hosting configuration. If you don't know what the value should be, do a phpinfo() and find the DOCUMENT_ROOT value.

The .htpasswd Code

davidwalsh:daWHfZrDLB88.
rodstewart:roFulYxC2.8ws
cssexpert:csmnmq.M8T5ho

The .htpasswd file contains the usernames and passwords of allowed users. One per line. The passwords are MD5'd for security purposes.

To generate encrypted passwords for your .htpasswd file, you can use my .htaccess password generator.

Comments

  1. I am going to go out on a limb here and say that you are a rod stewart fan. :)

    Btw, you can store sensitive documents in a folder that isn’t browsable by Apache and have php authenticate it before the user can download. I wrote an artile about that on my blog.

  2. @Mark: Share the link!

  3. From the Apache documentation:

    Security

    Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.

    In your example, I would suggest moving .htpasswd to something like ‘/home/davidwalsh/protect-me-dir.htpasswd’.

  4. Well I didn’t want to be the guy that posts his links every where :) so I just mentioned it, but since it is relevent here you go.

    http://www.marksanborn.net/php/download-files-through-authentication/

  5. @JP: Good tip!

  6. Hello, I am very new at this and honestly need to know exactly how to do this. Do you know a step by step process. I do not want to upload into my website until I have tested it on my local machine
    Scenario, I have an HTML file that I open within a folder, however I want to simply require a password before can view it. Nothing really critical, just want to keep the masses out.

    If I put the .htaccess file in that directly, and the .htpasswd in the same directory, how will that keep me from accessing the html file. when that is what I need to click on to test. am I missing something here? Does the index.html on the server automatically look for this password file?

    Anything would be great. or maybe you could direct me to a fully laid out example

    Thank you for your time
    Paul

  7. Hi David,
    Really like this nifty little feature – but unfortunately everything seems to work fine except that the password is not accepted. I have tried several alternatives – all with the same result. Any tips on what I need to check will be much appreciated!
    Cheers
    Simon

  8. Levana June 2, 2009

    Hi,

    I did this and I think my path was incorrect. However, when I try to do the PHP info, it is requiring a password–which I can’t do because my path is wrong. How do I remove the .htaccess and .htpassword from my site to fix them? They are not showing up as files in the directory.

    Thanks,
    Levana

  9. Levana June 4, 2009

    I figured it out–just in case anyone reads this: you have to set your FTP client to “show hidden files.”

  10. mark antony July 14, 2009

    How do I able to protect and organize the files in directory?

  11. how do I able to protect and organize the filies in directory?

  12. I have used your your info above and it works well. Thank you. How do I prevent the password from being cached or held in cookies? When I log into the web browser it has the info and logs right in.
    Thank you, Jeff

  13. @Simon: I have the same issue.

  14. can this crash the apache server? or depending on the server settings a failed access (3+tries) denies you acces to the ENTIRE server??. using this on a server that i get acess to host webpages. but don’t know the intricate security settings of the server? it connects slowly when it works, and if the wrong password denies me for x period of time. from any site that the server hosts. not just my section!! any able to explain this?

  15. I take it that this only protects a directory and not a specific folder?

  16. Awesome blog! :) I was just looking around for some tips of password protection.. and this is neat! I didn’t realize I was already using it by cPanel! :P

    Anyways, love the effects you’ve done on your logo.. and the social links that can be dragged anywhere!! One question: HOW did you do that!!!!!!!!!! :O :D

  17. This is great, is it possible to specify which html file opens depending on which username is used to log in?

  18. can we also make an easy ‘ logout’ button???
    thx!

  19. I am trying to password protect a subdirectory on an FTP that is already inside of a password protected directory, but the folder becomes hidden as soon as I add in the .htaccess and .htpasswd files. Is there a line of code I can add to the .htaccess file to keep the subdirect visible?

    Thanks in advance.

  20. I’m using this code in one of my directories but once I enter the URL and get the pop-up box and enter my UN/ PW it gets stuck in a continuous loop asking me to enter un/pw again and again. Help! Thanks!

  21. proxybox October 24, 2011

    Bryan,
    I had the same problem. You can’t just use the password that you want to use into .htpasswd. You have to use the ‘htaccess password generator’ link that David has provided first. In that link you’ll enter your proposed username and password and it will spit out a MD5 user and password that you will enter into your .htpasswd file. Upload that to the folder you want to protect and it should work. Good luck!

  22. proxybox October 24, 2011

    Jeff Reese,

    In order to have the username/password dialog box reappear, you need to close all your browser windows down and restart a new browser session after which the login window will appear again. Even if you clear you cookies, etc. the dialog box will not reopen.

  23. Proxybox, thank you. I made the same mistake as Bryan.

  24. still trying to get this to work. for some reason night working in my sub directory

  25. how do i allow access to certain directories. (how do i turn off the rewrite function)

  26. Unfortunately it did not work for me, already follow proxyboy suggestion but no password work for me. any work around to make it work?

  27. I couldn’t get this to work on my local web server, then I realised that httpd.conf contained the line
    AllowOverride None
    which was stopping Apache look at the .htaccess file. I changed it to
    AllowOverride All although AllowOverride AuthConfig would have been sufficient.

  28. Thanks … it is very easy to use it and remove it as well as :)
    carry on good task :)

  29. hello. pretty cool. but it worked the 1st time for me but then after i typed in my username and pw i get this error. and when i delete it and start fresh i get the same error.

    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator, admin@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.

    More information about this error may be available in the server error log.

  30. i can get this to work it just hangs on the loading and still asks for the login and password.
    AllowedOverride All
    hashed the username and pw using your link.
    im not sure how to get this to work
    any suggestions?

  31. hi David. Thank you for your awesome web site. I have a little challenge for you. How it is now, you can assign 100+ users and passwords and all of them end up at the same index page. Is there a way to assign or redirect each line of usern. and passw. to a specific page.
    Example: lets say that 3 people have access to the log in password protected site, each person has a custom username and password, but if #1 logs in, it redirects #1 to the site welcome #1 , if #2 logs in, it redirects #2 to the site welcome #2 etc.
    Hope you can help us on that. thank you.

  32. i figured it out after hours of trying. here it is. exchange x and y with your files and users

    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /var/chroot/home/content/path/path/html/path/.htpasswd
    require user x

    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /var/chroot/home/content/path/path/html/path/.htpasswd
    require user y

    DirectoryIndex x.html y.html

    add as many as you like
    hope this helps.

  33. sorry this makes more sense.

    AuthType Basic
    AuthName “Restricted Area”
    AuthUserFile /var/chroot/home/content/path/path/html/path/.htpasswd
    require user x

    AuthType Basic
    AuthName “Restricted Area”
    AuthUserFile /var/chroot/home/content/path/path/html/path/.htpasswd
    require user y

    DirectoryIndex x.html y.html

  34. sorry it does not post correctly. ill try to explain.
    as you know each command must be on its own line. example: “AuthType Basic” on its own line “AuthName restricted area” on its own line etc….
    Put “Files x.html” wrapped in beginning code tag on its own line before “AuthType Basic”.
    And put “Files ” wrapped in end code tag after “require user x”. Now create a new line and repeat with user “File y.html” wrapped in beginning code tag followed by a new line of “AuthType Basic” followed by “AuthName “Restricted Area”"
    , “AuthUserFile /var/chroot/home/content/path/path/html/path/.htpasswd” , “require user y” ,and put “Files ” wrapped in end code tag after “require user y” etc..
    hope you understand, sorry about my crappy posting attempts :(

  35. i put .htaccess file in /var/www and .htpasswd in /var and tried below code.But after all therse step i am not getting even a prompting widow. i restarted apache and changed premission for files too…but nothing seems to be working.– ;( plese help.
    AuthName “My Password-Protected Area – Authorized Users Only”
    AuthType Basic
    AuthUserFile /var/.htpasswd
    require user secretuser

  36. Using our free w3easyProtect script should be quite an easy way to password protect any web directory. Hopefully…;)

  37. Hi

    Nice post bust isnt it possible to protect the main folder and then leave a subfolder unprotected?

  38. [...] Simple Password Protection for a Directory Using .htaccess Here is a simple way to password protect a directory with .htaccess. [...]

  39. Nice post, I’d like to protect my private directory in sub domain, is it will work well??

  40. This has been very useful for me! thanks a lot buddy

  41. If anyone is still struggling with this try using dynamic drive .htaccess banning located below.

    http://tools.dynamicdrive.com/password/

  42. sofian July 9, 2013

    one question, if i protect the root folder with this, will all the installation be secured? is it inherited to subfolders?

  43. Hi David,
    Great tutorial for the more advanced, however I think it’s important to mention to avoid confusion for newbies that the .htaccess file needs to be in the same directory you are protecting and not the root for example which is somewhat assumed in your explanation. You also should specify that you can’t type in the encrypted password, but instead have to type in the original password you used in the generator. Small nuances, but very important. Thanks!

  44. Hi,
    nice post, But i have an doubt on that post. i need to add htaccess and htpassword protection for a specific directory on my site. I have tried this below code . but its taking the whole site as password protected .

    AddType application/x-httpd-php52 .php52 .php
    AuthName “Secure Area”
    AuthType Basic
    AuthUserFile /home/demo/public_html/demo_directory/.htpasswd
    require valid-user

    ————-

    Now i need to add password for demo_directory folder only. so pls help me.

    Thanks,
    mmkiyan.

    • Olivier D November 7, 2013

      you should revert what you did, I guess.
      You need to put the .htaccess inside the directory which you want to protect. And you move the .htpasswd “outside” of your whole site web : apache will still be able to find it when authenticating, but it will also prevent users using the website to download it (as it’s now “outside” the web hierarchy).

      ex:
      1) create your /home/demo/public_html/demo_directory/.htaccess : [to protect demo_directory+everything underneath it]

      AddType application/x-httpd-php52 .php52 .php
      AuthName “Secure Area”
      AuthType Basic
      AuthUserFile /home/PRIVATE/.htpasswd
      

      2) And you create your /home/PRIVATE/.htpasswd file (containing lines made of “username:hashedpasswords”)
      Please note that hashedpasswords are created using one of the tools. It is NOT the password in clear! Just the corresponding hash. (never have passwords in clear in a file!)

      Hope this helps

  45. Olivier D November 7, 2013

    to mmkiyan : you should revert what you did, I guess.
    You need to put the .htaccess inside the directory which you want to protect. And you move the .htpasswd “outside” of your whole site web : apache will still be able to find it when authenticating, but it will also prevent users using the website to download it (as it’s now “outside” the web hierarchy).

    ex:
    1) create your /home/demo/public_html/demo_directory/.htaccess : [to protect demo_directory+everything underneath it]

    AddType application/x-httpd-php52 .php52 .php
    AuthName “Secure Area”
    AuthType Basic
    AuthUserFile /home/PRIVATE/.htpasswd
    

    2) create your /home/PRIVATE/.htpasswd with lines made of “username:hashedpasswords”
    (hashedpasswords are created using one of the tools. it is NOT the password in clear! (never!) )

    Hope this helps

  46. […] Password Protect a Directory Using .htaccess Password Protecting Your Pages with htaccess Password protection with htaccess […]

  47. […] fact, I obviously first learned this from David as pretty much this exact same tip is on his site. Still, I think it’s worthy of re-posting because this is an extremely useful […]

Be Heard

Tip: Wrap your code in <pre> tags or link to a GitHub Gist!

Use Code Editor
Older
Load Your Static Content the Dynamic Way
Newer
Weekend Links - Firefox 3 Hacks, jQuery Kwicks, Shorthand CSS, XMPPHP, Google Page Rank PHP