How To Protect Your Website Using Htaccess Password Protection?

How To Protect Your Website Using Htaccess Password Protection?

You may have come across a web page or a site that pops up a dialog box looking similar to the below one:

Authentication required box

  • If you are unaware of the username and the password, you cannot access such websites or pages- they are password protected.
  • Sometimes such extra layer authentication is likely to be used by the websites to limit the access for various reasons like:
  • Your website is still in development phase, and you do not want the general public to access it yet. You want only yourself and some other limited people to be able to view the work in progress.
  • You have a page on your website which you never want the general public to see. For example, some private pages like web stats.
  • Your website has some paid subscription content which you want only the subscribers to be able to see.
  • You want your website or pages to be accessed only from a particular location. For example, you want your only the users from the UK to access your site.
  • It must be used to protect your website’s back-end access. It gives an extra layer of security to your admin panel.

The Apache based servers let you protect your individual files, folders, pages, or the entire site by setting up the htaccess password protection. We as a web development company often come across such projects where the client specifically mentions the need of htaccess password protection. Moreover, we also use this protection in our various web development projects voluntarily.

The reason is this feature provides an extra layer of security to the specific categories of websites and pages. For those websites which are to be accessed by a limited audience, htaccess password protection is an ultimate approach.

So, let’s read and find out how it’s done.

Password protection- How it works?

You need to follow two crucial steps to setup password protection for your pages or site:

Step 1: Create a text file on the server to store the “Username” and “Password” information.

Step2: Create a file named “.htaccess” in the folder you want to protect. Let’s see how you can proceed to work out these steps.

First step: Creating password text file

In the first step, we will create a simple text file to store your username and password. We will use a semicolon (:) to separate the username and password.

Please Note: You must not enter the password in the plain text form. Use the text encryption to encode your password. There are various online free tools that can be used to encrypt your password.

You can use any of these for example:

4WebHelp’s online .htpasswd encryption tool

Alterlinks .htaccess password generator

So, now, open up your favorite text editor and type your username and encrypted password in a single line. Please mind separating the username and password with the semicolon. For example,


  • Then save the file and name it as “.htpasswd”.
  • Next, you need to upload the file to your website. Ensure that you have placed the file outside the Web root of your site. You can place it above the public_html or htdocs folder for example.
  • In case you are not able to place the file outside your Web root, then name it something that is not easily guessable, so that people won’t be able to find it easily.

Second Step: Creating .htaccess file

After creating and uploading the password file, the next step is to work out the .htaccess file. The .htaccess file is used to tell the server to use it to protect your pages. Basically, it consists of a set of instructions for the server.

  • So, again, open up your text editor and create a new text file by naming it as “.htaccess”.
  • Now, add the following code in your .htaccess file:

AuthUserFile /full/path/to/.htpasswd

AuthType Basic

AuthName “My Secret Folder”

Require valid-user

Please Note: /full/path/to/.htpasswd is the full path of the .htpasswd file that you uploaded earlier. So, replace /full/path/to/.htpasswd with your actual path in your copy of the code.

Also Note: The code given above will protect all the files in the folder where .htaccess file is uploaded. It will protect the subfolders under that folder as well. So, upload the .htaccess file to the folder which you want to protect.

If you want to password protect your whole website, then you can upload the .htaccess file in your Web root folder.

To Protect a particular file or Page

If you intend to password protect a particular page or file on your site, you can use the following code in your .htaccess file:

AuthUserFile /full/path/to/.htpasswd

AuthType Basic

AuthName “My Secret Page”

<Files “mypage.html”>

Require valid-user


Where “mypage.html” is the name of the file or page that you want to protect.

In case you face ERROR

  • If you cannot access your page or site even after entering the correct credentials, you need to check the path to your .htpasswd file on the server. Make sure you have specified the correct path in the AuthUserFile directive.
  • Also, check the file permission to both .htpasswd and .htaccess files. It should be chmod 644 for UNIX/Linux/FreeBSD servers.
  • In case if the password protection is not working and the dialog box is not appearing, you need to check the path of you uploaded .htaccess file. Check if you have uploaded in the correct folder.
  • Also, check if your web server supports .htaccess password protection.
  • Apache servers support it but you need to make sure your server admin has enabled the AuthConfig override for your site.

Over to you

Velocity can help you in a lot more web development aspects like these. You can contact us for any kind of general and eCommerce web development services. You can read more about many of such web development and maintenance tips on our official blog as well.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s