You Are Here: Home »Tutorials»General »   Password Protecting Directories

Password Protecting Directories

If you want to password protect a certain directory and don't have the option to do that from your website control panel, this will explain how to use a .htaccess file and HTTP authentication to accomplish that.

The htaccess File

Firstly we need to create the .htaccess file to use inside the directory that we want to protect, so create a new file and include the following details:

AuthType Basic

This is just telling the server which type of authentication we want to use (between basic & digest)

AuthName "Members Only"

"Members Only" is just an example, the AuthName is basically just creating a name or identity for the protected area, it's also the name that will appear on the login box when somebody tries to access the directory. Make sure you include the "quotes" if the name you give is more than one word.

AuthUserFile /home/user/.password

Again this is an example, here you need to specify the full server path to the .htpasswd file (which we'll create in a moment) this is not your web address like www.domain.com but the true path to the file, ask your web host if you're unsure what this is.

It doesn't matter where the password file is located but as with any files that contain sensitive information it's better to keep it below your document root (home directory).

Require valid-user

The final line is telling the server it must look for a "valid user" (as specified in the .password file) before allowing them access to the directory.

So your file should look something like this: (obviously with your own information in the middle two lines)

AuthType Basic
AuthName "Members Only"
AuthUserFile /home/user/.password
Require valid-user

Save the file as ".htaccess" it should be named exactly that (no quotes) You will find that most text editors will add a .txt or .html extension to the file when you try to save it just as .htaccess to prevent this when saving the file include the quotes ".htaccess" and it'll be saved as it should without any extension.

The Password File

Next we need to create the file that holds the usernames and passwords of people we want to allow access to the directory. This file by the way, does not have to be called '.password' it doesn't actually matter what it's called as long as the server path and name in the .htaccess file match the file containing the usernames and passwords.

In this file all you need to include are the usernames and passwords of people whom you want to allow access to the directory, in the following format:

username:password

However, the password needs to be in a specially encrypted format, to get this you can use this page at kxs.net

You can add as many different users as you like to the file, just add each one to a new line.

Save the .password file making sure that your text editor doesn't add an extra extension (see above) and upload the .htaccess and .password files to your site, placing the .htaccess file inside the directories you wish to protect and making sure the .password file is in the directory you specified in the code.

note: You may find that once you upload the files to your webspace that they seem to vanish or appear as if they have not been uploaded, this is normal, you will only see the files after you've uploaded them if your FTP client is set to show hidden files.