Password Protect Your Site With .htaccess

How can I password protect a web page?

Certain file names have special purposes on a web server. A good example of this is index.html, which will automatically display in a web browser. Another file is .htaccess, but it never displays to visitors. What it does is look at the visitor and identifies such things as whether or not the visitor can even have a page displayed. A simple file with a few specific instructions in it, uploaded into the folder that you want to password protect, is basically all you need to do to protect that directory.

Password window

What is needed to make this happen?

No special tools are required to make the files. Any text editor, such as Notepad, will do. You will need to make a master password list which is usually called .htpasswd, and a .htaccess file is required in the parent folder that you want to have protected.

Please note that .htaccess files are only available on UNIX web servers.

The .htaccess file

Here is an example of what a basic file looks like:

AuthType Basic
AuthName "Authorized Users"
AuthUserFile /nfs/home/u/username/.htpasswd
require valid-user

Each line is pretty straight forward:

AuthType Basic: This is the authentication type which will always be Basic because that is what our server supports.
AuthName "Authorized Users": The actual AuthName is a variable and is entirely up to you. So for example if you had multiple password protected areas, you could specify what type of visitor is allowed in the protected space.
AuthUserFile /nfs/home/u/username/.htpasswd: The AuthUserFile line is where the master user list lives on the web server. In the example notice that because the username is 'username' I have used the letter 'u' as the parent folder. Substitute the first letter of your user name as your parent folder.
require valid-user: The require line allows you to specify what users are allowed into the protected area. The variable valid-user infers anyone that exists in the master user list.

The master user list, .htpasswd

The master user list should no be inside of your public_html folder but rather on the same level. Here's an example of what this looks like:

user1:CzFUwKiiV87R2
user2:tYF.3ClkjNAeg

You can encrypt a password by entering your chosen username and password into this form:

More information on .htaccess

We have only slightly touched on the topic of this very powerful feature. There is a number of excellent resources available on this topic including JavaScriptKit's Comprehensive guide to .htaccess, The Apache Tutorial on .htaccess, or do a Google search for .htaccess.

<< Return to Web Hosting Support

Please select your Service Area: