Directory protection using .htaccess

One of the more common/popular uses of .htaccess is to password protect specific directories using basic HTTP authentication. Using .htaccess to setup directory protection is a method by which one can limit access to specific content on your website only to users to whom you assign a username and password to login. This can be used to setup "members only" areas, fee based subscription content or to restrict access to administrative content to you personally.

Setting up directory protection involves the creation of two files, a .htaccess file stored within the directory (or the top folder in a directory tree you wish to password protect) and a second file commonly named .htpasswd in which the actual usernames and passwords are stored.

Note: As with several of the .htaccess features we are discussing in this knowledgebase topic area there is a convenient utility available within your HostRocket cPanel which is designed to automate the setting up of password protected folders. We recommend that customers check out the "Directory Protection" section in their cPanell for an easy method of setting this up which doesn't involve or require any manual editing or creation of .htaccess/.htpasswd files.

Creating the .htaccess file

Create a .htaccess file within the directory you wish to password protect containing code similar to the following:

AuthType Basic
AuthName "Members Only Area"
AuthUserFile /home/hruser/pwl/.htpasswd
Require valid-user

- The first and last lines are standard and should be used as-is

- On the AuthName line one can use any text they wish to appear on the login dialog users see when they are prompted for their username and password

- The AuthUserFile line must include the correct server path to your .htpasswd file. For security reasons it is recommended that one store the .htpassword file somewhere in their root username directory above public_html where it cannot be accessed from the web. In the example above the .htpasswd file has been placed in a folder named "pwl" in the /home/hruser directory (the topmost directory seen when you login to your HostRocket account via the File Manager or FTP.

Creating the .htpasswd file

The .htpasswd file which like .htaccess is just an ASCII (plain text) file contains a list of the users who are allowed to access your password protected directory and their assigned passwords. An example .htaccess file would be as follows:


As you can see the passwords are encrypted. The actual logins represented in the example above are:

username: John - password: dog
username: Mary - password: cat
username: Bob - password: bird
username: Neal - password: fish

As far as encrypting your passwords there are numerous .htaccess password generators publicly posted online as well as password generator scripts which you can install locally on your own account (note that when using the Directory Protection in your control panel the passwords you choose are encrypted automatically). One can find plenty of options for encrypting passwords suitable for use in a .htpasswd file via the links at the other end of this Google search:

Google search - htpasswd+password+generator

  • .htaccess, web development, directory privacy
  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

Preventing bandwidth theft using .htaccess

While all HostRocket plans include plenty of bandwidth (transfer) nobody ever has enough...

Blocking users by IP address using .htaccess

Should you find that a few unruly visitors are causing you problems by posting unwanted messages...

Creating custom error pages using .htaccess

One of the many things one can do to make their website a little more professional-looking is to...

Redirection using .htaccess

Most websites are constantly changing "works in progress" and as one updates, rearranges and...

Setting a default index page using .htaccess

By default our servers will look for (in order) a file by the name of index.html, index.cgi,...