Directory protection using .htaccess

One of the more common/popular uses of .htaccess is to password protect specific directories using basic HTTP authentication. Using .htaccess to setup directory protection is a method by which one can limit access to specific content on your website only to users to whom you assign a username and password to login. This can be used to setup "members only" areas, fee based subscription content or to restrict access to administrative content to you personally.

Setting up directory protection involves the creation of two files, a .htaccess file stored within the directory (or the top folder in a directory tree you wish to password protect) and a second file commonly named .htpasswd in which the actual usernames and passwords are stored.

Note: As with several of the .htaccess features we are discussing in this knowledgebase topic area there is a convenient utility available within your HostRocket cPanel which is designed to automate the setting up of password protected folders. We recommend that customers check out the "Directory Protection" section in their cPanell for an easy method of setting this up which doesn't involve or require any manual editing or creation of .htaccess/.htpasswd files.

Creating the .htaccess file

Create a .htaccess file within the directory you wish to password protect containing code similar to the following:

AuthType Basic
AuthName "Members Only Area"
AuthUserFile /home/hruser/pwl/.htpasswd
Require valid-user

- The first and last lines are standard and should be used as-is

- On the AuthName line one can use any text they wish to appear on the login dialog users see when they are prompted for their username and password

- The AuthUserFile line must include the correct server path to your .htpasswd file. For security reasons it is recommended that one store the .htpassword file somewhere in their root username directory above public_html where it cannot be accessed from the web. In the example above the .htpasswd file has been placed in a folder named "pwl" in the /home/hruser directory (the topmost directory seen when you login to your HostRocket account via the File Manager or FTP.

Creating the .htpasswd file

The .htpasswd file which like .htaccess is just an ASCII (plain text) file contains a list of the users who are allowed to access your password protected directory and their assigned passwords. An example .htaccess file would be as follows:


As you can see the passwords are encrypted. The actual logins represented in the example above are:

username: John - password: dog
username: Mary - password: cat
username: Bob - password: bird
username: Neal - password: fish

As far as encrypting your passwords there are numerous .htaccess password generators publicly posted online as well as password generator scripts which you can install locally on your own account (note that when using the Directory Protection in your control panel the passwords you choose are encrypted automatically). One can find plenty of options for encrypting passwords suitable for use in a .htpasswd file via the links at the other end of this Google search:

Google search - htpasswd+password+generator

Was this answer helpful?

 Print this Article

Also Read

Introduction to .htaccess

What is .htaccess? The Apache Web server utilizes a per-directory access and configuration...

How do I re-direct non-https traffic to the https version of the website?

To re-direct a single site from http:// to https:// or https://www you would add the following...

Disabling directory listings using .htaccess

By default when accessing any directory which does not contain an index file (ex:...

How to redirect a page to another page or website using .htaccess?

If a page on your website no longer exists and you want to redirect it to your new page or...

How to create a user-friendly URL using .htaccess?

If your website is using a long URL like, you can change it...