How to create a password-protected directory on your webserver
Note: you must use HTPASSWD.EXE, or equivalent (including online generators) to create the password.
Password-protecting a directory is done with two files, .htaccess and .htpasswd. .htaccess, amongst other things, is used to define who can access what; .htpasswd defines the passwords for each user.
- allocate username and password (see our selection of password strategies)
- note the username and password in a secure location
- create .htaccess (see below for the format of this file)
- ensure .htaccess contains correct path to .htpasswd
- create .htpasswd (using HTPASSWD.EXE, or an equivalent, such as an online generator)
- using FTP, upload .htaccess into the directory to protect
- using FTP, create the secure directory to hold .htpasswd (if needed)
- using FTP, upload .htpasswd to the directory to hold .htpasswd
The password-protection can be tested by attempting to access the directory with your webbrowser.
Note: the .htaccess file has many functions, including password-protection, if you find you already have a .htaccess file in the directory you wish to protect, do not overwrite the existing contents - rather, add the password-protection parts to the end.
To enable password protection, your .htaccess file should include something like this:
AuthUserFile /home/hostingusername/uniquestring/auth/.htpasswd AuthGroupFile /dev/null AuthName Authentication AuthType Basic <Limit GET POST> require user USERNAME1 </Limit>
Note that you'll need to replace hostingusername with the username of your hosting account, and uniquestring with the string of alphanumeric characters which defines your home directory. For example, if your hosting account username was joebloggs and your unique string was ABCD1234, then the first line would become:
In the example, .htpasswd is in the /auth directory, if yours is elsewhere, you'll need to change the example to match the correct location.
Also, in the above example, change USERNAME1 to the name of the user you'd like to give access to. To do multiple users, add a line to the Limit section for each user, like this:
<Limit GET POST> require user USERNAME1 require user USERNAME2 require user USERNAME3 </Limit>
Note, the .htpasswd file should not be kept in the htdocs folder, or a subdirectory of it, if possible, as every file in the htdocs folder, and all subfolders, is publically-accessible. Web users will still need to guess the correct path to the htpasswd file, if they do not have FTP access - but if they do guess it (which might happen if it's in the same place it's kept for every other install of Xyz application) then they can download it, unless some other mechanism prevents them).