One of the more common/popular uses of .htaccess is to password protect specific directories using basic HTTP authentication. Using .htaccess to setup directory protection is a method by which one can limit access to specific content on your website only to users to whom you assign a username and password to login. This can be used to setup "members only" areas, fee based subscription content or to restrict access to administrative content to you personally.
Setting up directory protection involves the creation of two files, a .htaccess file stored within the directory (or the top folder in a directory tree you wish to password protect) and a second file commonly named .htpasswd in which the actual usernames and passwords are stored.
Note: As with several of the .htaccess features we are discussing in this knowledgebase topic area there is a convenient utility available within your HostRocket cPanel which is designed to automate the setting up of password protected folders. We recommend that customers check out the "Directory Protection" section in their cPanell for an easy method of setting this up which doesn't involve or require any manual editing or creation of .htaccess/.htpasswd files.
Creating the .htaccess file
Create a .htaccess file within the directory you wish to password protect containing code similar to the following:
AuthType Basic
AuthName "Members Only Area"
AuthUserFile /home/hruser/pwl/.htpasswd
Require valid-user
- The first and last lines are standard and should be used as-is
- On the AuthName line one can use any text they wish to appear on the login dialog users see when they are prompted for their username and password
- The AuthUserFile line must include the correct server path to your .htpasswd file. For security reasons it is recommended that one store the .htpassword file somewhere in their root username directory above public_html where it cannot be accessed from the web. In the example above the .htpasswd file has been placed in a folder named "pwl" in the /home/hruser directory (the topmost directory seen when you login to your HostRocket account via the File Manager or FTP.
Creating the .htpasswd file
The .htpasswd file which like .htaccess is just an ASCII (plain text) file contains a list of the users who are allowed to access your password protected directory and their assigned passwords. An example .htaccess file would be as follows:
John:68kHetWNYJqjs
Mary:22I2iOlMCAIx2
Bob:56xatL9elalv2
Neal:40W15WGDWK5Bo
As you can see the passwords are encrypted. The actual logins represented in the example above are:
username: John - password: dog
username: Mary - password: cat
username: Bob - password: bird
username: Neal - password: fish
As far as encrypting your passwords there are numerous .htaccess password generators publicly posted online as well as password generator scripts which you can install locally on your own account (note that when using the Directory Protection in your control panel the passwords you choose are encrypted automatically). One can find plenty of options for encrypting passwords suitable for use in a .htpasswd file via the links at the other end of this Google search: